Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

How to avoid duplicate sessions when not using cookies

Hi Experts

I have a site that maintains session via session IDs appended to URLs. When a visitor arrives on the site for the first time, as session is assigned.

The problem I have is this: the first page visited has no session ID in the URL, as none has been assigned yet. But, if this is page is returned to via the Back button, depending on the visitor's cache setting, the browser requests the page again from the server, which (because it carries no sessionID), assumes it is a new session. This is distorting my stats.

What is the best way to handle this? I have thought about using response.redirect ... to assign the ID and then redirect the browser to the landing page, this time with a url that contains the session ID, but I am concerned that bad things might happen, such as browsers complaining about the redirect for security reasons, or search engines thinking I am tryint to bait and switch.

Anyone got any ideas?

P.S. please assume cookies are off limits.
0
metalaureate
Asked:
metalaureate
  • 8
  • 6
  • 5
  • +1
2 Solutions
 
fritz_the_blankCommented:
What I do is set the session variable when the user authenticates, and then use an include file at the top of each page to verify that all is well. That way, you don't have to worry about querystrings and etc.

FtB
0
 
alorentzCommented:
Why on earth are you passing session id in the URl, theres no need!  The session id is always available on the server.  to pass session id in the URL is absolutely a security risk and you should not do it.
0
 
fritz_the_blankCommented:
So, when the user logs in, then I do:

dim bolAuthenticated
Session("bolAuthenticated") = "Yes"


Then I have an include file with this in it:

sub IsAuthorized()
      'In the authenticate.asp, a sucessful login will create a session variable
      'bolAuthenticated and set it to true. This subroutine, which appears at the top
      'of each page, ensures that the user has authentication

      if (not Session("bolAuthenticated")="Yes") then
            response.redirect("logout.asp")
      end if
end sub

and then I just call the sub at the top of each page.

FtB
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
fritz_the_blankCommented:
I have also extended this when necessary to hold a second variable for the level of user. That way, you can have different levels of access based on the user level

FtB
0
 
metalaureateAuthor Commented:
To alorentz: the Session ID is not available if you have session management turned off on IIS, which I have to do.
0
 
alorentzCommented:
As soon as the session starts, a session id is available all the time, without the needs for URL passing.  Just use the Session.SessionID to track via session id.
0
 
metalaureateAuthor Commented:
SessionID is dependent on cookies. I can't use cookies; sessionID is not available.
0
 
fritz_the_blankCommented:
If you want to stay with what you have, use the client side location.replace(). That way, the user will not be able to go back with the back button.

FtB
0
 
alorentzCommented:
Then disallow the back button, so as to not deal with that problem.  On every page you don't want to allow back, just use javascript:

<script>
history.forward();
</script>

So, no matter what they do, the Back will not work (javascript enabled of course)
0
 
fritz_the_blankCommented:
For details on my suggestion regarding location.replace() please see:

http://www.devguru.com/Technologies/ecmascript/quickref/location.html

replace Method
The replace method replaces the current History entry with the specified URL. After calling the replace method, you cannot navigate back to the previous URL using the browser's Back button.
 
Syntax: location.replace(URL)
 
FtB
0
 
metalaureateAuthor Commented:
Disabling "Back" is not an option--too invasive.

Intrigued by location.replace, that turns every landing page into a double-access.

What is wrong with my solution, using a response.redirect ... ?
0
 
fritz_the_blankCommented:
When you do the response.redirect, it is still possible to use the back button.

FtB
0
 
alorentzCommented:
>>Disabling "Back" is not an option--too invasive.

You're only doing it on the start page, which you don't want them to go back to any way...what is the invasiveness
0
 
alorentzCommented:
Otherwise, you're out of luck if you want to prevent them from going back.  You have to prevent it....
0
 
fritz_the_blankCommented:
About your idea of the response.redirect: that would work really well if you could tell that there was already an in place when the back button was pressed: you would just interrogate the query string for the id value, and if it were there, do the redirect, otherwise, assign an id. I don't see how that can be done, however, so that is why I recommend the location.replace().

FtB
0
 
alorentzCommented:
Any luck?
0
 
Mike_MetroCommented:
Try this on the home/default page.  This will create the Session ID for any users who doesn't already have one using location.reload so you can't go back.  The ID is created before you leave the page, so when you go back you will be on the correct page.

<%
If Request.QueryString("SessionID") = "" Then
  Dim NewID
      
  NewID = 100  
      
  Response.Write "<script>location.replace('Default.asp?SessionID=" & NewID & "');</script>"
  Response.end
End if
%>
0
 
metalaureateAuthor Commented:
Thanks everyone.
0
 
metalaureateAuthor Commented:
Ok, here is my solution: use Last-Modified and Expires headers to make my homepage cache like a static page. Now, then the back button is pressed, only the cached version is served with the Expires period.

0
 
fritz_the_blankCommented:
Glad to have helped,

FtB
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now