Solved

How to avoid duplicate sessions when not using cookies

Posted on 2004-09-13
20
208 Views
Last Modified: 2008-03-17
Hi Experts

I have a site that maintains session via session IDs appended to URLs. When a visitor arrives on the site for the first time, as session is assigned.

The problem I have is this: the first page visited has no session ID in the URL, as none has been assigned yet. But, if this is page is returned to via the Back button, depending on the visitor's cache setting, the browser requests the page again from the server, which (because it carries no sessionID), assumes it is a new session. This is distorting my stats.

What is the best way to handle this? I have thought about using response.redirect ... to assign the ID and then redirect the browser to the landing page, this time with a url that contains the session ID, but I am concerned that bad things might happen, such as browsers complaining about the redirect for security reasons, or search engines thinking I am tryint to bait and switch.

Anyone got any ideas?

P.S. please assume cookies are off limits.
0
Comment
Question by:metalaureate
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 5
  • +1
20 Comments
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049517
What I do is set the session variable when the user authenticates, and then use an include file at the top of each page to verify that all is well. That way, you don't have to worry about querystrings and etc.

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049525
Why on earth are you passing session id in the URl, theres no need!  The session id is always available on the server.  to pass session id in the URL is absolutely a security risk and you should not do it.
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049528
So, when the user logs in, then I do:

dim bolAuthenticated
Session("bolAuthenticated") = "Yes"


Then I have an include file with this in it:

sub IsAuthorized()
      'In the authenticate.asp, a sucessful login will create a session variable
      'bolAuthenticated and set it to true. This subroutine, which appears at the top
      'of each page, ensures that the user has authentication

      if (not Session("bolAuthenticated")="Yes") then
            response.redirect("logout.asp")
      end if
end sub

and then I just call the sub at the top of each page.

FtB
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049538
I have also extended this when necessary to hold a second variable for the level of user. That way, you can have different levels of access based on the user level

FtB
0
 

Author Comment

by:metalaureate
ID: 12049539
To alorentz: the Session ID is not available if you have session management turned off on IIS, which I have to do.
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049540
As soon as the session starts, a session id is available all the time, without the needs for URL passing.  Just use the Session.SessionID to track via session id.
0
 

Author Comment

by:metalaureate
ID: 12049548
SessionID is dependent on cookies. I can't use cookies; sessionID is not available.
0
 
LVL 46

Accepted Solution

by:
fritz_the_blank earned 400 total points
ID: 12049551
If you want to stay with what you have, use the client side location.replace(). That way, the user will not be able to go back with the back button.

FtB
0
 
LVL 31

Assisted Solution

by:alorentz
alorentz earned 100 total points
ID: 12049555
Then disallow the back button, so as to not deal with that problem.  On every page you don't want to allow back, just use javascript:

<script>
history.forward();
</script>

So, no matter what they do, the Back will not work (javascript enabled of course)
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049569
For details on my suggestion regarding location.replace() please see:

http://www.devguru.com/Technologies/ecmascript/quickref/location.html

replace Method
The replace method replaces the current History entry with the specified URL. After calling the replace method, you cannot navigate back to the previous URL using the browser's Back button.
 
Syntax: location.replace(URL)
 
FtB
0
 

Author Comment

by:metalaureate
ID: 12049571
Disabling "Back" is not an option--too invasive.

Intrigued by location.replace, that turns every landing page into a double-access.

What is wrong with my solution, using a response.redirect ... ?
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049575
When you do the response.redirect, it is still possible to use the back button.

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049583
>>Disabling "Back" is not an option--too invasive.

You're only doing it on the start page, which you don't want them to go back to any way...what is the invasiveness
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12049599
Otherwise, you're out of luck if you want to prevent them from going back.  You have to prevent it....
0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12049617
About your idea of the response.redirect: that would work really well if you could tell that there was already an in place when the back button was pressed: you would just interrogate the query string for the id value, and if it were there, do the redirect, otherwise, assign an id. I don't see how that can be done, however, so that is why I recommend the location.replace().

FtB
0
 
LVL 31

Expert Comment

by:alorentz
ID: 12050005
Any luck?
0
 
LVL 6

Expert Comment

by:Mike_Metro
ID: 12053942
Try this on the home/default page.  This will create the Session ID for any users who doesn't already have one using location.reload so you can't go back.  The ID is created before you leave the page, so when you go back you will be on the correct page.

<%
If Request.QueryString("SessionID") = "" Then
  Dim NewID
      
  NewID = 100  
      
  Response.Write "<script>location.replace('Default.asp?SessionID=" & NewID & "');</script>"
  Response.end
End if
%>
0
 

Author Comment

by:metalaureate
ID: 12055168
Thanks everyone.
0
 

Author Comment

by:metalaureate
ID: 12057070
Ok, here is my solution: use Last-Modified and Expires headers to make my homepage cache like a static page. Now, then the back button is pressed, only the cached version is served with the Expires period.

0
 
LVL 46

Expert Comment

by:fritz_the_blank
ID: 12060317
Glad to have helped,

FtB
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question