ISAPI filter session variable

I'd like to include a session id for every user that has authenticated
to the site. I know I can do it with cookies but I would like to know is
there a better way ??
The user doesn't have to have cookies enabled and it may not be that secure.

The basic idea is that there will be a login page and than the realpage
after the user has logged in. When the user authenticates I want to
write a session id and include it in a header.If the user is requesting
something from the realpage than his session id is checked with the
cached session id. If the session id's match the user is authorized to
continue.

Thanks for any suggestions!

Re: ISAPI filter session variable

On Apr 1, 2:59=A0am, Walter Sobchak wrote:
> I'd like to include a session id for every user that has authenticated
> to the site. I know I can do it with cookies but I would like to know is
> there a better way ??
> The user doesn't have to have cookies enabled and it may not be that secur=
e.
>
> The basic idea is that there will be a login page and than the realpage
> after the user has logged in. When the user authenticates I want to
> write a session id and include it in a header.If the user is requesting
> something from the realpage than his session id is checked with the
> cached session id. If the session id's match the user is authorized to
> continue.
>
> Thanks for any suggestions!


Look at how ASP.Net implements cookie-less session using an ISAPI
Filter.

Why don't you just use the built in Forms authentication of ASP.Net
instead of creating your own? You will need to understand how HTTP
works and how a secured authentication protocol works, and until you
have those two details completel nailed, implementing it as ISAPI
Filter will not be easy.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: ISAPI filter session variable

Thanks for the answer. I don't know what is the best way to do this, but
my assignment is to write a filter..
I understand that ASP.NET implements cookieless sessions by writing the
session id in the url.
I suppose it could be done that way in the filter, but I doubt that
significantly improves security (session id is visible in the browser).

Is there some other way to do this using ISAPI Filter?



David Wang wrote:
> On Apr 1, 2:59 am, Walter Sobchak wrote:
>> I'd like to include a session id for every user that has authenticated
>> to the site. I know I can do it with cookies but I would like to know is
>> there a better way ??
>> The user doesn't have to have cookies enabled and it may not be that secure.
>>
>> The basic idea is that there will be a login page and than the realpage
>> after the user has logged in. When the user authenticates I want to
>> write a session id and include it in a header.If the user is requesting
>> something from the realpage than his session id is checked with the
>> cached session id. If the session id's match the user is authorized to
>> continue.
>>
>> Thanks for any suggestions!
>
>
> Look at how ASP.Net implements cookie-less session using an ISAPI
> Filter.
>
> Why don't you just use the built in Forms authentication of ASP.Net
> instead of creating your own? You will need to understand how HTTP
> works and how a secured authentication protocol works, and until you
> have those two details completel nailed, implementing it as ISAPI
> Filter will not be easy.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //

Re: ISAPI filter session variable

I cannot think of any other implementation route.

There is no difference in security between a Session ID stored in the
URL or Header (Cookie).


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//




On Apr 2, 12:07=A0am, Walter Sobchak wrote:
> Thanks for the answer. I don't know what is the best way to do this, but
> my assignment is to write a filter..
> I understand that ASP.NET implements cookieless sessions by writing the
> session id in the url.
> I suppose it could be done that way in the filter, but I doubt that
> significantly improves security (session id is visible in the browser).
>
> Is there some other way to do this using ISAPI Filter?
>
>
>
> David Wang wrote:
> > On Apr 1, 2:59 am, Walter Sobchak wrote:
> >> I'd like to include a session id for every user that has authenticated
> >> to the site. I know I can do it with cookies but I would like to know i=
s
> >> there a better way ??
> >> The user doesn't have to have cookies enabled and it may not be that se=
cure.
>
> >> The basic idea is that there will be a login page and than the realpage=

> >> after the user has logged in. When the user authenticates I want to
> >> write a session id and include it in a header.If the user is requesting=

> >> something from the realpage than his session id is checked with the
> >> cached session id. If the session id's match the user is authorized to
> >> continue.
>
> >> Thanks for any suggestions!
>
> > Look at how ASP.Net implements cookie-less session using an ISAPI
> > Filter.
>
> > Why don't you just use the built in Forms authentication of ASP.Net
> > instead of creating your own? You will need to understand how HTTP
> > works and how a secured authentication protocol works, and until you
> > have those two details completel nailed, implementing it as ISAPI
> > Filter will not be easy.
>
> > //David
> >http://w3-4u.blogspot.com
> >http://blogs.msdn.com/David.Wang
> > //- Hide quoted text -
>
> - Show quoted text -