1. No Profile Picture
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2003
    Rep Power

    Exclamation ASP Session probs with IIS5


    I've been trying to discover different ways of simulating the APS Session Object. Some users of site's I've made can't shop online due mainly to the fact that don't want to enable Cookies or their firewall is blocking Session Cookies.

    Does anyone have a robust solution other than using a database and passing a user Id around every page???? or of course migrating to ASPX...

    I did find Mircosft's 'Cookie Munger' which came with IIS 4 Resouce Kit. It was installed on IIS5 yesterday and strange things have now started happening. Does anyone have any documentation on this ISAPI Filter. the first error messages on all .asp pages were "Requested Resources is in use"???? Checking the Cache ISAPI Filters option in IIS configuration sorted this but now when I try to log in to one of my sites which uses the Session Object and I have All cookies blocked etc in my browser. I get the following:

    Object Moved
    This object may be found here. HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 15 Apr 2003 10:35:28 GMT Content-Type: text/html Expires: Tue, 15 Apr 2003 10:34:28 GMT Set-Cookie: ASPSESSIONIDSCDCSDRB=KMICKDMAANPJKFHMLGFDGPCB; path=/ Cache-control: private

    Cookie Munger is meant? to simulate giving the client a Session ID when they have Cookies disbaled? Has anyone experienced similar problems?

    I've trawled the web high and low for any discussions on Simulating Sessions but haven't found anything.

    Any ideas/help would be greatly received.
  2. #2
  3. No Profile Picture
    Overly white
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2003
    Fresno, CA
    Rep Power
    Well if you can't use cookies and you can't use sessions then you have to pass the userID around in the URL. I guess you could generate a case sensitive random number and letter string of say 50 characters store it in your database as a temp userID everytime a user logs in then pass that around in the url. Then use that ID to pull up any information on the user, this would keep the real userId from ever being shown or would lower the odds of anyone ever guessing a valid ID very low. Also you may want to have a field that stores the date that way a temp id can only be valid for 1 day, if someone tries to browse with that ID after the date they will be forced to login in again.

    Does that make any sense at all?

IMN logo majestic logo threadwatch logo seochat tools logo