[thelist] ASP, HTTP_REFERRER, Session questions

Beau Hartshorne beau at members.evolt.org
Fri Sep 21 23:40:09 CDT 2001


I followed everyone's advice, and reprogrammed the login/authentication
script to work with querystrings. I've kept only the username and
password in Session variables, because if I leave them in the
querystring (even if I hash them) someone else could sit down after them
in a shared lab, click the history button, and go back a few steps -
voila, back to
http://www.foobar.com/protected.asp?USR=username&PWD=hashedpassword.
With sessions, users can click on a log out button to destroy their
session variables.

If I get some time, I'll even work it so that if a user has cookies
turned off, instead of being shut out they'll just have to enter their
username and password each time they go to some protected page.

I'm not quite sold on Server.Transfer VS Response.Redirect. Are there
cases where Response.Redirect simply does not work?

Thanks again,

Beau

aardvark wrote:

> the reason i remanded the URL variable to the query string and 
> hidden fields is because it's completely friendly for all 
> browsers, as 
> opposed to just cookied or sessioned (making up new words) 
> browsers...





More information about the thelist mailing list