Session objects and POSTed Form items

Re: Session objects and POSTed Form items

Brian Burgess wrote on 30 aug 2003 in
microsoft.publi c.inetserver.as p.general:[color=blue]
> Anyone know of any issues with setting the value of a Session object
> to the value of a submitted form item via
> 'Session("mySes sionObj")=Reque st.Form("myFrmE lem")' ?[/color]

This is not "the session object", it is just a variable stored on the
server for use by all asp pages during that session.

"The session object" is the collection of all these variables.
[color=blue]
> In my case the Session object gets set fine.[/color]

See above.
[color=blue]
> But when the user links to another page,
> the value of the session object is EMPTY.[/color]

If that page is not in the same session, yes, otherwise it is available.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: Session objects and POSTed Form items

Well I tried two ways...
1st:
If (Session("login ") = Empty) Then
Session("login" ) = Request.Form("l ogin")
End If

2nd:
If (Session("login ") = "") Then
Session("login" ) = Request.Form("l ogin")
End If


I should also mention that the user could be transfered to this page
from some other pages .. in this case we would not have the
'Request.Form(" login")' available to us. HOWEVER, in this case we
should have already been through the login process, and therefore the
Session collection item(login) should already be set.

Got it? :-)


Thnks again,

-BB


On 30 Aug 2003 12:56:19 GMT, "Evertjan."
<exjxw.hannivoo rt@interxnl.net > wrote:
[color=blue]
>Brian Burgess wrote on 30 aug 2003 in
>microsoft.publ ic.inetserver.a sp.general:
>[color=green]
>> It IS in the same session! .. the user is linking .. in fact this all
>> WAS working .. until I changed the code to only set the value of a
>> Session collection item IF that item did not already have a value.[/color]
>
>I think we would need to see that piece of code.[/color]

Re: Session objects and POSTed Form items

looks like a logical flaw

on your login page, it would be better to use this

If Request.Form("l ogin") <> "" then
Session("login" ) = true
End if

if the user comes from another page having already logged in, to check

if session("login" ) <> true then

else

end if

jason

"Brian Burgess" <bburgess66@hot mail.com> wrote in message
news:k181lvgcnp 13dt3an8qt1jg6i ki5rmvdrf@4ax.c om...[color=blue]
> Well I tried two ways...
> 1st:
> If (Session("login ") = Empty) Then
> Session("login" ) = Request.Form("l ogin")
> End If
>
> 2nd:
> If (Session("login ") = "") Then
> Session("login" ) = Request.Form("l ogin")
> End If
>
>
> I should also mention that the user could be transfered to this page
> from some other pages .. in this case we would not have the
> 'Request.Form(" login")' available to us. HOWEVER, in this case we
> should have already been through the login process, and therefore the
> Session collection item(login) should already be set.
>
> Got it? :-)
>
>
> Thnks again,
>
> -BB
>
>
> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
> <exjxw.hannivoo rt@interxnl.net > wrote:
>[color=green]
> >Brian Burgess wrote on 30 aug 2003 in
> >microsoft.publ ic.inetserver.a sp.general:
> >[color=darkred]
> >> It IS in the same session! .. the user is linking .. in fact this all
> >> WAS working .. until I changed the code to only set the value of a
> >> Session collection item IF that item did not already have a value.[/color]
> >
> >I think we would need to see that piece of code.[/color]
>[/color]

Re: Session objects and POSTed Form items

Cool!

That might work better to check if the user had logged in. But I
also need the actual lgoin value in some of the pages. Do you think
that the following would work then?
If Request.Form("l ogin") <> "" Then
Session("login" ) = Request.Form("l ogin")
End if

Thanks

-BB


On Sat, 30 Aug 2003 14:31:35 +0100, "jason kennedy" <jason@pinhut.c om>
wrote:
[color=blue]
>looks like a logical flaw
>
>on your login page, it would be better to use this
>
>If Request.Form("l ogin") <> "" then
>Session("login ") = true
>End if
>
>if the user comes from another page having already logged in, to check
>
>if session("login" ) <> true then
>
>else
>
>end if
>
>jason
>
>"Brian Burgess" <bburgess66@hot mail.com> wrote in message
>news:k181lvgcn p13dt3an8qt1jg6 iki5rmvdrf@4ax. com...[color=green]
>> Well I tried two ways...
>> 1st:
>> If (Session("login ") = Empty) Then
>> Session("login" ) = Request.Form("l ogin")
>> End If
>>
>> 2nd:
>> If (Session("login ") = "") Then
>> Session("login" ) = Request.Form("l ogin")
>> End If
>>
>>
>> I should also mention that the user could be transfered to this page
>> from some other pages .. in this case we would not have the
>> 'Request.Form(" login")' available to us. HOWEVER, in this case we
>> should have already been through the login process, and therefore the
>> Session collection item(login) should already be set.
>>
>> Got it? :-)
>>
>>
>> Thnks again,
>>
>> -BB
>>
>>
>> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
>> <exjxw.hannivoo rt@interxnl.net > wrote:
>>[color=darkred]
>> >Brian Burgess wrote on 30 aug 2003 in
>> >microsoft.publ ic.inetserver.a sp.general:
>> >
>> >> It IS in the same session! .. the user is linking .. in fact this all
>> >> WAS working .. until I changed the code to only set the value of a
>> >> Session collection item IF that item did not already have a value.
>> >
>> >I think we would need to see that piece of code.[/color]
>>[/color]
>[/color]

Re: Session objects and POSTed Form items

what is that advocacy doc about? and what exactly is underquoting?
i've been posting in newsgroups via OE for a couple of years, and have never
seen a thread advocating quoting below a post rather than above

jason

"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
news:Xns93E7A5F 203126eejj99@19 4.109.133.29...[color=blue]
> jason kennedy wrote on 30 aug 2003 in
> microsoft.publi c.inetserver.as p.general:[color=green][color=darkred]
> >> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
> >> <exjxw.hannivoo rt@interxnl.net > wrote:
> >> >Brian Burgess wrote on 30 aug 2003 in
> >> >microsoft.publ ic.inetserver.a sp.general:
> >> >
> >> >> It IS in the same session! .. the user is linking .. in fact this
> >> >> all WAS working .. until I changed the code to only set the value
> >> >> of a Session collection item IF that item did not already have a
> >> >> value.
> >> >
> >> >I think we would need to see that piece of code.
> >>[/color]
> > "Brian Burgess" <bburgess66@hot mail.com> wrote in message[color=darkred]
> >> Well I tried two ways...
> >> 1st:
> >> If (Session("login ") = Empty) Then
> >> Session("login" ) = Request.Form("l ogin")
> >> End If
> >>
> >> 2nd:
> >> If (Session("login ") = "") Then
> >> Session("login" ) = Request.Form("l ogin")
> >> End If
> >>
> >>
> >> I should also mention that the user could be transfered to this page
> >> from some other pages .. in this case we would not have the
> >> 'Request.Form(" login")' available to us. HOWEVER, in this case we
> >> should have already been through the login process, and therefore the
> >> Session collection item(login) should already be set.[/color]
> > looks like a logical flaw
> > on your login page, it would be better to use this
> >
> > If Request.Form("l ogin") <> "" then
> > Session("login" ) = true
> > End if
> >
> > if the user comes from another page having already logged in, to check
> >
> > if session("login" ) <> true then
> >
> > else
> >
> > end if[/color]
>
> [first I would like to stress, please do not underquote
> <http://www.xs4all.nl/%7ewijnands/nnq/nquote.html>]
>
> Brian is right, but do not accept the login confirmation from clientside,
> that can be attacked.
>
> "If true = true then" is superfluous, so this is enough:
>
>
> <%
> If Session("logged in") Then
> Response.redire ct "mainpage.a sp"
> End If
>
> If Lcase(Request.F orm("loginname" )) = "john" AND _
> Request.Form("l oginpassword") = "QWERty" then
> Session("logged in") = true
> Response.redire ct "mainpage.a sp"
> End If
> Response.redire ct "loginpage. asp"
> %>
>
> =============== ===========
>
> And on mainpage.asp and all other pages:
>
> <%
> If NOT Session("logged in") Then
> Response.redire ct "loginpage. asp"
> End If
> %>
>
> If you have far more than one name/password combination,
> a database becomes usefull.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)[/color]

Re: Session objects and POSTed Form items

Ok I just tried the following:
If Request.Form("l ogin") <> "" then
Session("login" ) = Request.Form("l ogin")
End if

The Session item gets set correctly as before, but is still reset to
'Empty' once the user clicks the link to another page... any ideas?

Thanks

-bB


On Sat, 30 Aug 2003 17:15:15 +0100, "jason kennedy" <jason@pinhut.c om>
wrote:
[color=blue]
>what is that advocacy doc about? and what exactly is underquoting?
>i've been posting in newsgroups via OE for a couple of years, and have never
>seen a thread advocating quoting below a post rather than above
>
>jason
>
>"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
>news:Xns93E7A5 F203126eejj99@1 94.109.133.29.. .[color=green]
>> jason kennedy wrote on 30 aug 2003 in
>> microsoft.publi c.inetserver.as p.general:[color=darkred]
>> >> On 30 Aug 2003 12:56:19 GMT, "Evertjan."
>> >> <exjxw.hannivoo rt@interxnl.net > wrote:
>> >> >Brian Burgess wrote on 30 aug 2003 in
>> >> >microsoft.publ ic.inetserver.a sp.general:
>> >> >
>> >> >> It IS in the same session! .. the user is linking .. in fact this
>> >> >> all WAS working .. until I changed the code to only set the value
>> >> >> of a Session collection item IF that item did not already have a
>> >> >> value.
>> >> >
>> >> >I think we would need to see that piece of code.
>> >>
>> > "Brian Burgess" <bburgess66@hot mail.com> wrote in message
>> >> Well I tried two ways...
>> >> 1st:
>> >> If (Session("login ") = Empty) Then
>> >> Session("login" ) = Request.Form("l ogin")
>> >> End If
>> >>
>> >> 2nd:
>> >> If (Session("login ") = "") Then
>> >> Session("login" ) = Request.Form("l ogin")
>> >> End If
>> >>
>> >>
>> >> I should also mention that the user could be transfered to this page
>> >> from some other pages .. in this case we would not have the
>> >> 'Request.Form(" login")' available to us. HOWEVER, in this case we
>> >> should have already been through the login process, and therefore the
>> >> Session collection item(login) should already be set.
>> > looks like a logical flaw
>> > on your login page, it would be better to use this
>> >
>> > If Request.Form("l ogin") <> "" then
>> > Session("login" ) = true
>> > End if
>> >
>> > if the user comes from another page having already logged in, to check
>> >
>> > if session("login" ) <> true then
>> >
>> > else
>> >
>> > end if[/color]
>>
>> [first I would like to stress, please do not underquote
>> <http://www.xs4all.nl/%7ewijnands/nnq/nquote.html>]
>>
>> Brian is right, but do not accept the login confirmation from clientside,
>> that can be attacked.
>>
>> "If true = true then" is superfluous, so this is enough:
>>
>>
>> <%
>> If Session("logged in") Then
>> Response.redire ct "mainpage.a sp"
>> End If
>>
>> If Lcase(Request.F orm("loginname" )) = "john" AND _
>> Request.Form("l oginpassword") = "QWERty" then
>> Session("logged in") = true
>> Response.redire ct "mainpage.a sp"
>> End If
>> Response.redire ct "loginpage. asp"
>> %>
>>
>> =============== ===========
>>
>> And on mainpage.asp and all other pages:
>>
>> <%
>> If NOT Session("logged in") Then
>> Response.redire ct "loginpage. asp"
>> End If
>> %>
>>
>> If you have far more than one name/password combination,
>> a database becomes usefull.
>>
>> --
>> Evertjan.
>> The Netherlands.
>> (Please change the x'es to dots in my emailaddress)[/color]
>[/color]

Re: Session objects and POSTed Form items

jason kennedy wrote on 30 aug 2003 in
microsoft.publi c.inetserver.as p.general:[color=blue]
> and what exactly is underquoting?
> i've been posting in newsgroups via OE for a couple of years, and have
> never seen a thread advocating quoting below a post rather than above[/color]

But that is what you were doing. You were quoting under your post. This
answer is topquoting.

It does not matter what programme ["OE"] you use, it is against netiquette
on usenet NG.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: Session objects and POSTed Form items

How about the original question .. Any one have ideas?

thanks

-BB

On 30 Aug 2003 17:52:53 GMT, "Evertjan."
<exjxw.hannivoo rt@interxnl.net > wrote:
[color=blue]
>jason kennedy wrote on 30 aug 2003 in
>microsoft.publ ic.inetserver.a sp.general:[color=green]
>> and what exactly is underquoting?
>> i've been posting in newsgroups via OE for a couple of years, and have
>> never seen a thread advocating quoting below a post rather than above[/color]
>
>But that is what you were doing. You were quoting under your post. This
>answer is topquoting.
>
>It does not matter what programme ["OE"] you use, it is against netiquette
>on usenet NG.[/color]

Session objects and POSTed Form items - SOLVED

I figured this one out with everyones help along an article(2157) in
ASPFAQ.com. The trouble was my initial code AND related to an MS security
patch. A KB article(Q316112 ) describes it.

My code now is more or less it is like the following, and it is working
properly:

<%

Option Explicit


If (Request.Form(" loginName") <> "") Then

Session("loginN ame") = Request.Form("l oginName")

End If

Dim strLoginName

strLoginName = Session("loginN ame")

....

'Do your stuff here

....

%>



Thanks all,

-BB



"Brian Burgess" <bburgess66@hot mail.com> wrote in message
news:isv0lvgbck hj0dtru3biu0scj 2v18vt050@4ax.c om...[color=blue]
> Hi all,
>
> Anyone know of any issues with setting the value of a Session object
> to the value of a submitted form item via
> 'Session("mySes sionObj")=Reque st.Form("myFrmE lem")' ?
>
> In my case the Session object gets set fine. But when the user links
> to another page, the value of the session object is EMPTY.
>
> thanks in advance..
>
> -BB[/color]