[thelist] More ASP problems - Checking for cookie existance

Michele Foster michele at wordpro.on.ca
Fri Jan 31 18:12:03 CST 2003


----- Original Message -----
From: "Joshua Olson" <joshua at waetech.com>
> > Response.cookies ("var_ContactID")=Validate_RS("ContactID")
> >
> > Set the cookie based on their contact ID from the recordset.  Then, each
> > page thereafter, I
>
> One possible gotcha with this technique is that someone could log in
> legitimately (and hence get a valid cookie) and then change the cookie to
> someone else's var_ContactID.  One way around this would be encode the
value
> in some form or fashion.
>

Joshua,

ok .. great .. valid point. While I don't think the probability is high ..
it might be worthwhile doing anyway.  One way that would be "easy" .. is to
change my primary key (autonum) from a long int to a replication ID (Access
2k .. one day hopefully moved to ms sql).  However .. this would present a
major problem in as much as there's already 20K records in the DB .. and all
relationships will be messed if I change the datatype.  I could, however,
add another field and set that as the replication ID .. and then in my
cookie store both my contact id and this new one .. and validate both on
each page after log in.

Does this sound reasonable .. or were you thinking of other ways?  Keep in
mind .. this database already exists .. is a huge, difficult to manage beast
;)  "Encoding the value" ... I've no idea how to do that.

Mich





More information about the thelist mailing list