[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

How to avoid duplicate sessions when not using cookies

Hi Experts

I have a site that maintains session via session IDs appended to URLs. When a visitor arrives on the site for the first time, as session is assigned.

The problem I have is this: the first page visited has no session ID in the URL, as none has been assigned yet. But, if this is page is returned to via the Back button, depending on the visitor's cache setting, the browser requests the page again from the server, which (because it carries no sessionID), assumes it is a new session. This is distorting my stats.

What is the best way to handle this? I have thought about using response.redirect ... to assign the ID and then redirect the browser to the landing page, this time with a url that contains the session ID, but I am concerned that bad things might happen, such as browsers complaining about the redirect for security reasons, or search engines thinking I am tryint to bait and switch.

Anyone got any ideas?

P.S. please assume cookies are off limits.
0
metalaureate
Asked:
metalaureate
  • 8
  • 6
  • 5
  • +1
2 Solutions
 
fritz_the_blankCommented:
What I do is set the session variable when the user authenticates, and then use an include file at the top of each page to verify that all is well. That way, you don't have to worry about querystrings and etc.

FtB
0
 
alorentzCommented:
Why on earth are you passing session id in the URl, theres no need!  The session id is always available on the server.  to pass session id in the URL is absolutely a security risk and you should not do it.
0
 
fritz_the_blankCommented:
So, when the user logs in, then I do:

dim bolAuthenticated
Session("bolAuthenticated") = "Yes"


Then I have an include file with this in it:

sub IsAuthorized()
      'In the authenticate.asp, a sucessful login will create a session variable
      'bolAuthenticated and set it to true. This subroutine, which appears at the top
      'of each page, ensures that the user has authentication

      if (not Session("bolAuthenticated")="Yes") then
            response.redirect("logout.asp")
      end if
end sub

and then I just call the sub at the top of each page.

FtB
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
fritz_the_blankCommented:
I have also extended this when necessary to hold a second variable for the level of user. That way, you can have different levels of access based on the user level

FtB
0
 
metalaureateAuthor Commented:
To alorentz: the Session ID is not available if you have session management turned off on IIS, which I have to do.
0
 
alorentzCommented:
As soon as the session starts, a session id is available all the time, without the needs for URL passing.  Just use the Session.SessionID to track via session id.
0
 
metalaureateAuthor Commented:
SessionID is dependent on cookies. I can't use cookies; sessionID is not available.
0
 
fritz_the_blankCommented:
If you want to stay with what you have, use the client side location.replace(). That way, the user will not be able to go back with the back button.

FtB
0
 
alorentzCommented:
Then disallow the back button, so as to not deal with that problem.  On every page you don't want to allow back, just use javascript:

<script>
history.forward();
</script>

So, no matter what they do, the Back will not work (javascript enabled of course)
0
 
fritz_the_blankCommented:
For details on my suggestion regarding location.replace() please see:

http://www.devguru.com/Technologies/ecmascript/quickref/location.html

replace Method
The replace method replaces the current History entry with the specified URL. After calling the replace method, you cannot navigate back to the previous URL using the browser's Back button.
 
Syntax: location.replace(URL)
 
FtB
0
 
metalaureateAuthor Commented:
Disabling "Back" is not an option--too invasive.

Intrigued by location.replace, that turns every landing page into a double-access.

What is wrong with my solution, using a response.redirect ... ?
0
 
fritz_the_blankCommented:
When you do the response.redirect, it is still possible to use the back button.

FtB
0
 
alorentzCommented:
>>Disabling "Back" is not an option--too invasive.

You're only doing it on the start page, which you don't want them to go back to any way...what is the invasiveness
0
 
alorentzCommented:
Otherwise, you're out of luck if you want to prevent them from going back.  You have to prevent it....
0
 
fritz_the_blankCommented:
About your idea of the response.redirect: that would work really well if you could tell that there was already an in place when the back button was pressed: you would just interrogate the query string for the id value, and if it were there, do the redirect, otherwise, assign an id. I don't see how that can be done, however, so that is why I recommend the location.replace().

FtB
0
 
alorentzCommented:
Any luck?
0
 
Mike_MetroCommented:
Try this on the home/default page.  This will create the Session ID for any users who doesn't already have one using location.reload so you can't go back.  The ID is created before you leave the page, so when you go back you will be on the correct page.

<%
If Request.QueryString("SessionID") = "" Then
  Dim NewID
      
  NewID = 100  
      
  Response.Write "<script>location.replace('Default.asp?SessionID=" & NewID & "');</script>"
  Response.end
End if
%>
0
 
metalaureateAuthor Commented:
Thanks everyone.
0
 
metalaureateAuthor Commented:
Ok, here is my solution: use Last-Modified and Expires headers to make my homepage cache like a static page. Now, then the back button is pressed, only the cached version is served with the Expires period.

0
 
fritz_the_blankCommented:
Glad to have helped,

FtB
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 8
  • 6
  • 5
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now