The concept of using your own SessionID

Hi All

Just been looking through the excellent ASPFaq site and wanted to dissucss
Aaron's (??) comments re better to create your own session ID rather than
use ASP classic's in-built one and then use this through various posts and
gets to keep the state.

Only issue I've got with this is that won't this number, which to me looks
like it will be sequential, be picked up by would-be hacker and used in
his/her http pandemonium to try and hack other people's sessions. With them
seeing it in the querystring and forms they will surely pick up on it and
play with it, whereas the in-built session ID can be relatively invisible.

I'm probably completely wrong with this, but I would really like to get to
grips with the concept as I too am trying to find a cast-iron way to manage
session state between http and https sites as the user flips between the 2,
probably at lightening speed!!

Thanks

Laphan

Re: The concept of using your own SessionID

"Laphan" wrote in message
news:OS08I7h2FHA.1188@TK2MSFTNGP12.phx.gbl...
> Hi All
>
> Just been looking through the excellent ASPFaq site and wanted to dissucss
> Aaron's (??) comments re better to create your own session ID rather than
> use ASP classic's in-built one and then use this through various posts and
> gets to keep the state.
>
> Only issue I've got with this is that won't this number, which to me looks
> like it will be sequential, be picked up by would-be hacker and used in
> his/her http pandemonium to try and hack other people's sessions. With
> them
> seeing it in the querystring and forms they will surely pick up on it and
> play with it, whereas the in-built session ID can be relatively invisible.
>
> I'm probably completely wrong with this, but I would really like to get to
> grips with the concept as I too am trying to find a cast-iron way to
> manage
> session state between http and https sites as the user flips between the
> 2,
> probably at lightening speed!!
>
> Thanks
>
> Laphan

Please include the article number and/or a link when referencing an ASPFaq
article. Here's the article I think you're talking about:

http://aspfaq.com/show.asp?id=2054

A closer reading of the article would reveal that Aaron is not advocating
the role-your-own database session method. He is simply opining that said
method is the best/simplest alternative when the session mechanism built
into ASP is not suitable; for example when the pointy-haired-boss says so.

Also note, that the article never mentions _sequential_ identifiers. While
identity columns are usually sequential by default, most databases support
some form of randomized identifier, whether that be the random auto-number
in Access, the globally unique identifier in SQL Server or whatever
implementations exist on other platforms.


--
May you be touched by His noodly appendage. RAmen.
http://venganza.org

Re: The concept of using your own SessionID

Hi Chris

Thanks for the response. OK, I may not have completely taken in what Aaron
is suggesting, but you can see it from my point of view can't you?

The site does appear to work OK, I just want to make sure that I'm using the
most cast iron approach I can when tracking state back and forth between the
http and https parts of the site.

Rgds Laphan


"Chris Hohmann" wrote in message
news:OL5lDHk2FHA.2600@tk2msftngp13.phx.gbl...
"Laphan" wrote in message
news:OS08I7h2FHA.1188@TK2MSFTNGP12.phx.gbl...
> Hi All
>
> Just been looking through the excellent ASPFaq site and wanted to dissucss
> Aaron's (??) comments re better to create your own session ID rather than
> use ASP classic's in-built one and then use this through various posts and
> gets to keep the state.
>
> Only issue I've got with this is that won't this number, which to me looks
> like it will be sequential, be picked up by would-be hacker and used in
> his/her http pandemonium to try and hack other people's sessions. With
> them
> seeing it in the querystring and forms they will surely pick up on it and
> play with it, whereas the in-built session ID can be relatively invisible.
>
> I'm probably completely wrong with this, but I would really like to get to
> grips with the concept as I too am trying to find a cast-iron way to
> manage
> session state between http and https sites as the user flips between the
> 2,
> probably at lightening speed!!
>
> Thanks
>
> Laphan

Please include the article number and/or a link when referencing an ASPFaq
article. Here's the article I think you're talking about:

http://aspfaq.com/show.asp?id=2054

A closer reading of the article would reveal that Aaron is not advocating
the role-your-own database session method. He is simply opining that said
method is the best/simplest alternative when the session mechanism built
into ASP is not suitable; for example when the pointy-haired-boss says so.

Also note, that the article never mentions _sequential_ identifiers. While
identity columns are usually sequential by default, most databases support
some form of randomized identifier, whether that be the random auto-number
in Access, the globally unique identifier in SQL Server or whatever
implementations exist on other platforms.


--
May you be touched by His noodly appendage. RAmen.
http://venganza.org