[thelist] ASP, HTTP_REFERRER, Session questions

Beau Hartshorne beau at members.evolt.org
Sat Sep 22 14:28:30 CDT 2001

I read the article you referred to. The article was trying to deter
programmers from storing recordsets in application and session
variables. Thanks to feedback from other list members, I know a little
more about some of the bad habits session variables and
response.redirects can let you fall into.

Here's my refined logic so far (with most of the response.redirects and
session variables removed):

On every page, there a string is generated like this:

Dim strCurrentPage,strCurrentQueryString
strCurrentPage = "ReferringPage=" & _
strCurrentQueryString = Request.ServerVariables("QUERY_STRING")
If strCurrentQueryString <> "" Then
	strCurrentPage = strCurrentPage & "&" & strCurrentQueryString
End If

This gets passed to the login script like this:

<a href="login.asp?<%=strCurrentPage%>">Login</a><br>

So when a user clicks on that link and goes to the login page, the login
page is fed with a querystring. This querystring is immediately stored
in a variable that gets used later. Before I spoke with thelist, I had
separated the login.asp page and the authentication.asp page -- as I had
seen in a book that I just bought. Now, everything is handled on the
login.asp page. There are no more response.redirects back and forth, and
there are no more session variables that carry errors or strCurrentPage.
I've basically cut it down to this:

Session.Contents("UserName") = strUserName
Session.Contents("Password") = strPassword

So there are two session variables, containing small strings. These are
be the only two session variables that will be used throughout the site.
Everything else is handled with querystrings, and method="post". If I
have time, I will design the sections of the site that require a login
to still be functional without cookies -- they will just need to login
every time they access a protected page. I am not going to store the
username or password in a querystring and pass it around the site. It's
not secure, and it's a real headache to code.

I think I'll be returning the book to the store. I've found the online
resources to be much more useful.



> Is there a reason why you used Querystrings instead of Form. 
> (i.e. POST instead of GET?)?
> That way, you don't have to deal with the tremendous overhead 
> of sessions.
> See this article:
> Databases and Sessions.... Just Say No! 
> http://www.learnasp.com/learn/nodbsession.asp
> HTH,
> Don 
> Makoviney
> MAKOVISION.com - Handpicked News For Internet Developers 

FREE Usability/WebDev Newsletter - Twice Weekly

For unsubscribe and other options, including
the Tip Harvester and archive of TheList go to: http://lists.evolt.org
Workers of the Web, evolt ! 

More information about the thelist mailing list