ASP???????

morphy

well i cant believe in what i had heard!!!
ASP saves session data client side!!!!!!!!!!
i cant believe!!!
is it true?
if yes: ahahahahahhah 🙂))))

[deleted]

If it were true, it would only mean that aps session data is slower and limited to a max size, that' all.
Nothing that requires ten exclamation marks.

morphy

i think if its true it needs hundreds of exlamation marks for security problems....

[deleted]

It's all down to how you write your program.
If you use cookies, you'd never ever store passwords in cookies. PHP sessions are a little more secure as they are server side, but everyone using the same webserver who has the ability to put PHP scripts there can read the sessions.

hawleyj

The only thing it stores client side in a cookie is a Session ID, sounds familiar, doesn't it? It actually enhances security because the Session ID is checked to match the Session ID on the server, ensuring the client is exactly who he says he is. All other info is located server side and is not available to the client except through calls in the script that I would write.

If cookies are turned off then this one piece is omitted. Again, sounds familiar, doesn't it?

ASP is a powerful tool, and although I would prefer to use PHP at work, I do appreciate and embrace its session handling features. Everything that PHP 4 has introduced in sessions is leading to the power that ASP already uses.

The most powerful piece I believe is the Session_Start and Session_End features. I can automatically have things happen without having to recode it in every page through these features.

Jim Hawley

[deleted]

"It actually enhances security because the Session ID is checked to match the Session ID on the server, ensuring the client is exactly who he says he is."

How? The very point of storing the sessionid on the client side is to be able to identify a user to the server.

hawleyj

<snip>

vincent wrote:

"It actually enhances security because the Session ID is checked to match the Session ID on the server, ensuring the client is exactly who he says he is."

How? The very point of storing the sessionid on the client side is to be able to identify a user to the server.

</snip>

Exactly! Thats what I said. If the session ID is stored in a cookie, it enhances security because the Session ID is checked to match the Session ID on the server, ensuring the client is exactly who he says he is.

jeh

[deleted]

But you make it sound asif the server compares the sessionid stored on the client with a sessionid stored on the server, and that is a technically nearly-impossible.

hawleyj

how's that? If I have a cookie with SessionID 12345678 and I make a request to the server, it checks my SessionID 12345678 against the sessionID stored on the server 12345678 and match.

Did I miss something in the manual when it explained this same process under PHP sessions? My understanding of PHP is that it stores the SessionID variable in a cookie client side to match against the server SessionID. If cookies are turned off, it is carried by means of a query string. Or did I not read that right? Since I am still grappling with the requirement to start a session on each page versus a session that is carried throughout automatically until ended or time out, maybe I misunderstood.

jeh

[deleted]

HTTP is a stateless protocol, no connection is left open between the server and the client. Therefore, the server cannot ever remember anything about a client without the client telling the server who he is.

So, all the server can do is read the sessionid from the client (cookie or url), and fetch the data that belongs to the session with that ID. It does not check the received sessionid with a sessionid stored on the server, because it cannot know which sessionid belongs to that client without the client telling the server which sessionid to use. After all the sessionid was invented to be able to recognise clients in the first place.

I cannot imagine ASP doing anything else, because these are the limitations of HTTP.

hawleyj

Okay, ya got me. Just did some checking and contrary to what they showed me in school (hey, they were MS instructors, what can I say), cookies are integral to the success of sessions under IIS. Unlike PHP which will pass the sessionID through a query string if cookies are turned off, there are no such vehicles in IIS/asp.

Still, the bottom line up front is that the only thing carries in that cookie is the ID, not session variables.

I defer. Thanks for the discussion though, enjoyed it.

jeh

[deleted]

Victory is mine! :-) yee! (pats himself on the back, well done boy)

But, the important thing is that ASP does not store all session data on the client, which was the original claim by morphy.