[thelist] ASP, HTTP_REFERRER, Session questions
aardvark
roselli at earthlink.net
Fri Sep 21 00:16:49 CDT 2001
> From: "Beau Hartshorne" <beau at cubeinc.ca>
>
> I am developing a login script. They hit login, which posts the info
> to an Authentication script. If authenticated, I wanted users to be
> Response.Redirect(ed) back to the page they were originally coming
> from (the page they clicked the login link from), *querystring* and
> all. It seems like Request.ServerVariables("HTTP_REFERER") is the best
> way to find out where a user came from. My concern is that if someone
> comes from another site, say Google, and goes directly to the login
> script they will be redirected back to Google once they are
> authenticated. To prevent this, my thinking was to check the string
> returned by HTTP_REFERER and search for the site's domain. If the
> site's domain (foobar.com) was found in the HTTP_REFERER string, then
> the script will redirect users to the page they came from. If
> foobar.com was not found in the HTTP_REFERER string, then they get
> redirected back to the site's index.asp page.
>
> Here's what a sample HTTP_REFERER string looks like:
> http://www.foobar.com/news.asp?id=1
>
> Is there a better way to do this?
the referrer is an imperfect way to implement this...
instead, i'd try writing the name/path of the current page into a
hidden field in that form (if the form exists on every page, you could
be done already)...
if the form exists on another page, pass that original path/file name
as part of the query string, and then write it into a hidden field...
so (this is all pseudo-code):
<a href="/login.asp?frompage=<% =
Request.ServerVariables("SCRIPT_NAME") %>
that links to your login page, which has this hidden field:
<input type="hidden" name="frompage" value="<% =
Request("frompage") %>">
now, if you use response.redirect (although if you have the latest
version of ASP, you should use the transfer method), you can
process the form like so:
IF variable = "login" THEN
response.redirect Request("frompage")
ELSE
response.write "Loser"
END IF
play around, you can build the full URL, or just use the root-relative
from SCRIPT_NAME and you should be fine...
> The other question I had was about performance. I've got about 3-5
> session variables (containing things like passwords, user names, error
> messages, HTTP_REFERRER strings, etc). I expect that the site will
> peak at around 5000 user sessions per hour once the site goes live.
> Will I crush that poor shared Win2000 server with all those session
> variables?
dunno, what are the specs? how much you storing? what else is
happening on that box? most likely you'll be fine...
> I read one of rudy's old posts about Access database performance, and
> it's made me confident that with that many users I shouldn't get more
> than a few concurrent connections. I've been pretty careful about
> using objConn.close and Set objConn = nothing when I'm done with the
> connection object, but I haven't gone as far as storing everything
> into two dimensional arrays instead of objRS objects. The database is
> primarily used for a forum, which only peaks at around 2000 or so user
> sessions an hour.
regardless of how well you manage your connections to Access,
once the Access file itself gets reasonably large, it'll start to fail as
a viable solution...
i've seen it chunk up at 2meg, and i've seen it chunk up at 12meg,
but it doesn't take long if you have a lot of content....
just a thought...
More information about the thelist
mailing list