[thelist] ASP, HTTP_REFERRER, Session questions

aardvark roselli at earthlink.net
Fri Sep 21 00:16:49 CDT 2001

> From: "Beau Hartshorne" <beau at cubeinc.ca>
> I am developing a login script. They hit login, which posts the info
> to an Authentication script. If authenticated, I wanted users to be
> Response.Redirect(ed) back to the page they were originally coming
> from (the page they clicked the login link from), *querystring* and
> all. It seems like Request.ServerVariables("HTTP_REFERER") is the best
> way to find out where a user came from. My concern is that if someone
> comes from another site, say Google, and goes directly to the login
> script they will be redirected back to Google once they are
> authenticated. To prevent this, my thinking was to check the string
> returned by HTTP_REFERER and search for the site's domain. If the
> site's domain (foobar.com) was found in the HTTP_REFERER string, then
> the script will redirect users to the page they came from. If
> foobar.com was not found in the HTTP_REFERER string, then they get
> redirected back to the site's index.asp page.
> Here's what a sample HTTP_REFERER string looks like:
> http://www.foobar.com/news.asp?id=1
> Is there a better way to do this?

the referrer is an imperfect way to implement this...

instead, i'd try writing the name/path of the current page into a 
hidden field in that form (if the form exists on every page, you could 
be done already)...

if the form exists on another page, pass that original path/file name 
as part of the query string, and then write it into a hidden field...

so (this is all pseudo-code):
<a href="/login.asp?frompage=<% = 
Request.ServerVariables("SCRIPT_NAME") %>

that links to your login page, which has this hidden field:

<input type="hidden" name="frompage" value="<% = 
Request("frompage") %>">

now, if you use response.redirect (although if you have the latest 
version of ASP, you should use the transfer method), you can 
process the form like so:

IF variable = "login" THEN
	response.redirect Request("frompage")
	response.write "Loser"

play around, you can build the full URL, or just use the root-relative 
from SCRIPT_NAME and you should be fine...

> The other question I had was about performance. I've got about 3-5
> session variables (containing things like passwords, user names, error
> messages, HTTP_REFERRER strings, etc). I expect that the site will
> peak at around 5000 user sessions per hour once the site goes live.
> Will I crush that poor shared Win2000 server with all those session
> variables?

dunno, what are the specs?  how much you storing?  what else is 
happening on that box?  most likely you'll be fine...

> I read one of rudy's old posts about Access database performance, and
> it's made me confident that with that many users I shouldn't get more
> than a few concurrent connections. I've been pretty careful about
> using objConn.close and Set objConn = nothing when I'm done with the
> connection object, but I haven't gone as far as storing everything
> into two dimensional arrays instead of objRS objects. The database is
> primarily used for a forum, which only peaks at around 2000 or so user
> sessions an hour.

regardless of how well you manage your connections to Access, 
once the Access file itself gets reasonably large, it'll start to fail as 
a viable solution...

i've seen it chunk up at 2meg, and i've seen it chunk up at 12meg, 
but it doesn't take long if you have a lot of content....

just a thought...

More information about the thelist mailing list