[thelist] Cookies and Session state for Authentication

Ken Schaefer ken at adOpenStatic.com
Thu May 13 20:32:23 CDT 2004


If ASP.NET is an option, I would use that.

ASP.NET has transparent support for cookie-less sessions. It automatically
embeds the sessionID in the URL, and uses an ISAPI filter to pre-process the
incoming URLs to extract the session information.

Session data can be stored in-proc (like Classic ASP), SQL Server, or in a
separate ASPSessionState service (which allows you to run multiple processes
on IIS6.0 - aka a web garden, or to recycle a worker process without losing
all your session information).

There are a few issues with using session information embedded in URLs, but
these can be coded around.

Cheers
Ken

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "pouncyisdead" <pouncy_1 at hotmail.com>
Subject: [thelist] Cookies and Session state for Authentication


Hello all,

I am trying to build an authenication system that works for the largest
possible group of users/browsers, but provides easy updates of user info for
my team. I'm on an IIS box, using ASP for scripting. VB.net is also an
option.

Right now I'm using cookies, but I'm running into trouble when a client that
doesn't accept cookies tries to login with a valid user/pass combo. The page
has no way of maintaining/passing state.

What is the best combination of cookies, sessions or anything else for
browsers with high privacy settings, when trying to maintain state?



More information about the thelist mailing list