Solved

How to avoid duplicate sessions when not using cookies

Posted on 2004-09-13
20
203 Views
Last Modified: 2008-03-17
Hi Experts

I have a site that maintains session via session IDs appended to URLs. When a visitor arrives on the site for the first time, as session is assigned.

The problem I have is this: the first page visited has no session ID in the URL, as none has been assigned yet. But, if this is page is returned to via the Back button, depending on the visitor's cache setting, the browser requests the page again from the server, which (because it carries no sessionID), assumes it is a new session. This is distorting my stats.

What is the best way to handle this? I have thought about using response.redirect ... to assign the ID and then redirect the browser to the landing page, this time with a url that contains the session ID, but I am concerned that bad things might happen, such as browsers complaining about the redirect for security reasons, or search engines thinking I am tryint to bait and switch.

Anyone got any ideas?

P.S. please assume cookies are off limits.
0
Comment
Question by:metalaureate
  • 8
  • 6
  • 5
  • +1
20 Comments
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049517
What I do is set the session variable when the user authenticates, and then use an include file at the top of each page to verify that all is well. That way, you don't have to worry about querystrings and etc.

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049525
Why on earth are you passing session id in the URl, theres no need!  The session id is always available on the server.  to pass session id in the URL is absolutely a security risk and you should not do it.
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049528
So, when the user logs in, then I do:

dim bolAuthenticated
Session("bolAuthenticated") = "Yes"


Then I have an include file with this in it:

sub IsAuthorized()
      'In the authenticate.asp, a sucessful login will create a session variable
      'bolAuthenticated and set it to true. This subroutine, which appears at the top
      'of each page, ensures that the user has authentication

      if (not Session("bolAuthenticated")="Yes") then
            response.redirect("logout.asp")
      end if
end sub

and then I just call the sub at the top of each page.

FtB
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049538
I have also extended this when necessary to hold a second variable for the level of user. That way, you can have different levels of access based on the user level

FtB
0
 

Author Comment

by:metalaureate
ID: 12049539
To alorentz: the Session ID is not available if you have session management turned off on IIS, which I have to do.
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049540
As soon as the session starts, a session id is available all the time, without the needs for URL passing.  Just use the Session.SessionID to track via session id.
0
 

Author Comment

by:metalaureate
ID: 12049548
SessionID is dependent on cookies. I can't use cookies; sessionID is not available.
0
 
LVL 46

Accepted Solution

by:
fritz_the_blank earned 400 total points
ID: 12049551
If you want to stay with what you have, use the client side location.replace(). That way, the user will not be able to go back with the back button.

FtB
0
 
LVL 31

Assisted Solution

by:alorentz
alorentz earned 100 total points
ID: 12049555
Then disallow the back button, so as to not deal with that problem.  On every page you don't want to allow back, just use javascript:

<script>
history.forward();
</script>

So, no matter what they do, the Back will not work (javascript enabled of course)
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049569
For details on my suggestion regarding location.replace() please see:

http://www.devguru.com/Technologies/ecmascript/quickref/location.html

replace Method
The replace method replaces the current History entry with the specified URL. After calling the replace method, you cannot navigate back to the previous URL using the browser's Back button.
 
Syntax: location.replace(URL)
 
FtB
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:metalaureate
ID: 12049571
Disabling "Back" is not an option--too invasive.

Intrigued by location.replace, that turns every landing page into a double-access.

What is wrong with my solution, using a response.redirect ... ?
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049575
When you do the response.redirect, it is still possible to use the back button.

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049583
>>Disabling "Back" is not an option--too invasive.

You're only doing it on the start page, which you don't want them to go back to any way...what is the invasiveness
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049599
Otherwise, you're out of luck if you want to prevent them from going back.  You have to prevent it....
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049617
About your idea of the response.redirect: that would work really well if you could tell that there was already an in place when the back button was pressed: you would just interrogate the query string for the id value, and if it were there, do the redirect, otherwise, assign an id. I don't see how that can be done, however, so that is why I recommend the location.replace().

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12050005
Any luck?
0
 
LVL 6

Expert Comment

by:Mike_Metro
ID: 12053942
Try this on the home/default page.  This will create the Session ID for any users who doesn't already have one using location.reload so you can't go back.  The ID is created before you leave the page, so when you go back you will be on the correct page.

<%
If Request.QueryString("SessionID") = "" Then
  Dim NewID
      
  NewID = 100  
      
  Response.Write "<script>location.replace('Default.asp?SessionID=" & NewID & "');</script>"
  Response.end
End if
%>
0
 

Author Comment

by:metalaureate
ID: 12055168
Thanks everyone.
0
 

Author Comment

by:metalaureate
ID: 12057070
Ok, here is my solution: use Last-Modified and Expires headers to make my homepage cache like a static page. Now, then the back button is pressed, only the cached version is served with the Expires period.

0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12060317
Glad to have helped,

FtB
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now