[thelist] More ASP problems - Checking for cookie existance

Michele Foster michele at wordpro.on.ca
Fri Jan 31 09:24:01 CST 2003


----- Original Message -----
From: "Martyn Haigh" <martyn.haigh at virgincosmetics.com>

<massive snipping>

> I would personally change a bit of your code here.  Instead of using
cookies
> - I would use a session var.  cookies are a bit of a security risk - if
one
> of your legit users is using a shared computer and they forget to log off
> your system properly - someone else could compromise your system and
pretend
> to be that user.  But that's your decision.
>

Jumping in the middle here .. as this caught my attention.

What I'm doing ..

Once the user is validated against my user table, I

Response.cookies ("var_ContactID")=Validate_RS("ContactID")

Set the cookie based on their contact ID from the recordset.  Then, each
page thereafter, I

var_ContactID = request.cookies("var_ContactID")
if var_ContactID = "" then
response.Clear
response.Redirect "login.asp"
End If

Verify that the user is logged in .. if not I redirect them to the login
page.

I did this as outlined in the Wrox ASP 3.0 book we have at the office.  Now,
I'm questioning the statement above, that if the user doesn't log off
properly, someone else could pretend to be them.  However, my cookie is
timing out .. I'm guessing 20 mins, as I don't set the time .. just use the
default.  After the specified time, I can't get back to any of the "inside"
pages ... I'm automatically redirected to the login page.

So .. can you explain why setting a cookie is bad?  I can see your point, if
it's within the specified timeout (20 mins) then yeah .. someone "could"
pretend to be the user in question .. but that case isn't highly probable
(IMHO of course).

Should I be doing something else?  Note, I'm not storing credit cards .. I
am, however, storing confidential job application like info .. the idea that
two people at a public library would be filling out the same site is pretty
remote .. for this client.

TIA,

Michele





More information about the thelist mailing list