[thelist] Cookies and Session state for Authentication
Scott Dexter
dexilalolai at yahoo.com
Thu May 13 16:51:18 CDT 2004
>
> For this reason, we use session variables and make sure that
> session.timeout
> = -5000 (never expires). When logging out, there is a hidden page
HOLY SH-T you're asking for trouble. How much data are you storing in
your Session collection per user? How busy is the site? Ever check
IIS's memory usage during busy times? What if the user never hits the
hidden page (i.e. never logs out)? What if 1000 users never log out?
I agree that the auth and session state should not be in the client's
hands. Store it in a db. Database, database, database. Combined with
the session id in the query string as needed (browsers that don't
have cookies, or, if you want simple, /all/ browsers regardless), I'd
say you're good to go.
Scott
More information about the thelist
mailing list