I have a page that has <%Session("whatever")=null%> at the very bottom. I'm wondering how null this session is. If, when he gets to the next page he types the page he just left into the address bar he gets redirected.Fine. However, if he hits the back button he gets right back onto the page and can resubmit the info.

Is there anyway that I can stop this from occuring?

Thanks in advance
Dealer58

All the best

Vince

------------------
Internet Business Solutions S.L.(Spain)

Setting the Session Variable to null only removes the memory associated with the Session variable itself... the Session object still maintains a reference to it, though.

If you are using ASP 3 then you should use this:

Session.Contents.Remove "nameOfSessionVariable"

This will remove both the key and the item associated with the session variable.
You could also use:

Session.Contents.RemoveAll

This will obliterate all of your session variables.

If you are using ASP 2.0 then you will have to use =null, and some coding such as:

Javascript to disable the back button (users, including myself hate that)

Check for a variable on your form that it could only get after being submitted. If it finds the variable, do a redirect. Otherwise, let it fall down your page to the form.

Do a database check on the form page for a value that if true, will redirect.

There are many ways to do this.

Joe

Vince, I was in the middle of my reply and did not see yours

[This message has been edited by jbennett (edited 06-03-2001).]

Its good to see that everybody is here now!

I have two sessions going at the same time. The main session

Session("main"),where the user is logged in
&
Session("whatever")which is a brief session that I want to end without logging out the user. (e.g. spooky login uses the Session("AccessLevel")="#"

If I do a Session.abandon I'll kill the login which is what I'm trying not to do here.

CC

Well I guess I'm not using ASP 3! (am I Vince?)

I'd like to try the "check for a variable method" can you be a bit more specific? Note that the form on the page doesn't have any text fields that must be filled to submit, I'm only passing varibles here. But I could invent one if I had to.

Please Advise
CC

To check for a variable you could do something like:

Once the user submits the form, store a value of True in a cookie. On the page that you don't want them returning to, the first thing you should do is check the value of the cookie. If it is True then redirect.

Don't worry about the stigma concerning cookies. There is no known security issue with them. Nor, to my knowledge, has there ever been one.

Besides, if you are using Session Variables, you are using cookies.

Joe

<%
Response.buffer=True
If Session("whatever") = "" Then
Response.redirect "wherever"
End if
%>

and

<%session("whatever")=null%> is at the bottom.

So,... I think I am checking for a true value like you said first when he tries to return. Now how do I give the user this true value on his first trip. (I think I'm starting to understand)

CC
(this is driving me nuts!)

PS Don't ask me why I have Response.buffer=True
at the top of the page. I haven't got a clue!

[This message has been edited by Dealer58 (edited 06-03-2001).]

etc.....

OK. Now if I hit the back button I can't get the previous page. I get a messgage saying that the page has expired and that I should refresh. If I hit refresh, POOF, I'm in!

How do I prevent that from happening?

CC

You still need to check to implement a method to determine if the user has already submitted the form.

At the top of the form page, you need something like:

If Request.Cookies("bolForm")= True
...then redirect

Or use your session variables or a Database connection (that would seem to be the last choice).

I would use the cookie method myself. Set the cookie to True on the page that you go to after submitting the form. This way if they go back, you are checking for that cookie on the form page.

It is almost impossible to prevent users from sending a form many times. There are many things you can do, but if users empty their browser cache, you are back to square one. You could also track their IP into a database, and then only allow them to use the form if their IP is NOT in the database. But again, this causes huge problem for people who share the same IP.

A database solution is the best long-term solution.

Joe

This is my first go around with cookies. I'm learning though so bear with me.

I understand what will be happening. What is the syntax to SET the cookie and where do I put it. I do not have a form on the page that gets submitted to, just some text and a DRW.

CC

I just did something to check and see if I was in fact nulling the session. Guess what? I am not nulling anything!!!

The only reason why I thought I might have been nulling the session was becasue I had an inc file at the top of the page to make sure a field that posted to the page was filled.

I removed the inc file, went through the series. After leaving the page with the Session null at the end I typed the pages url in the address bar. Got right back in!!I created the session but I cannot null it. The only thing that seems to be working is Session.abandon.

Now What?
CC

PS. I also figured out how to set the cookie
<%
Response.Cookies("whatever")=True
%>

Didn't work either, even with a Session.abandon. I get right in. I'm wondering if I have a super computer here that just smashes through protected pages!
(wouldn't be bad! where's the bank site?)
CC

Just a quick note here as I get ready throw my self from the first floor window of this ten story building.

I am testing this site at 2 separate locations. The newer one, which has been having technical difficulties since I signed up 2 weeks ago, is a windows 2000 server. I just got off the phone with them becasue I cannot publish. While I was there I asked them if they where running ASP3 becasue I want to try the method you mentioned to null the session. They said that they are using ASP2. So I guess that not all Windows 2000 servers have ASP3.

CC (jump!)

Session.Abandon or any variant will have no effect on the value of a cookie.

Joe

Internet Information Server (IIS) 5.0 installs as a networking service of Windows 2000 Server. Customers with any existing version of Windows NT Server 3.51 or 4.0 will automatically be upgraded to the new Web services in Windows 2000 Server and can take advantage of the new features and services of Windows 2000 Server and IIS.

http://www.microsoft.com/windows2000/server/evaluation/features/web.asp

OK. So then they didn't do the upgrade.(just my luck!)

I don't know what code you mean. Do you mean what is in the form that posts?

If so they are all hidden fields such as:

<input type="hidden" name="ItemNumber" value="<%=Request.form("ItemNumber")%>"><input type="hidden" name="Price" value="<%=Request.form("Price")%>">
<input type="hidden" name="Seller" value="<%=Request.form("Seller")%>">
<input type="hidden" name="Buyer" value="<%=Request.form("UserID1")%>">
<input type="hidden" name="ShortDescription" value="<%=Request.form("ShortDescription")%>">

or do you mean whats on the following page in the DRW (There is no form there) eg.
<%
fp_sQry="INSERT INTO Offer (Buyer, ItemNumber, Offer) VALUES ('::Buyer::', '::ItemNumber::', '::Offer::')"
fp_sDefault="Buyer=&ItemNumber=&Offer="
etc.........

Sorry if I'm driving you nuts with this!

CC

Earlier you posted:
If Session("whatever") = "" Then
Response.redirect "wherever"
End if

This would redirect someone if the Session Variable was EMPTY. If they had submitted the form and were assigned a value, they would be allowed to return. As the code states.

If you are using cookies, you could set the value of the cookie on the page after they submit the form.

On the actual form page, you would then check for the cookie value:

If NOT Request.Cookies("varCookie") = "" Then
...redirect
End If

Now, you are looking for a value, any value in the cookie. If there is a value present, then the user is redirected somewhere else. If there is not a value, the code continues down the page.

Joe

Okay, I got it to work. I had to go and put

Request.Cookies("varCookie") = ""

on the page that submits to the page with

If NOT Request.Cookies("varCookie") = "" Then
...redirect
End If

or the user cannot get back in when he follows the original sequence.

the 3rd page has

<%
Response.Cookies("varCookie")=True
%>

(See, I figure somethings out!!!)

Now here's the question that you've been waiting for. What if the user doesn't have Cookies enabled. And most importantly why isn't this

<%Session("SessionVar")=null%>

nulling the session to begin with? Is a Cookie remembering the Session variable too?

CC

quote:

---

Originally posted by Dealer58:
What if the user doesn't have Cookies enabled. And most importantly why isn't this

<%Session("SessionVar")=null%>

nulling the session to begin with? Is a Cookie remembering the Session variable too?

CC

---

Yes and No... OK, Lets quickly go over (I have two kids with me now) what a session variable is.
Session Variables are stored on a user by user basis on the server. When a user enters your Session Variable enables site, a SessionID is written to the server and a cookie that has the value of the SessionID is written to the user.

Now, once that user goes to another page on your site that uses session variables, the the cookie is checked to see if it has a SessionID stored on it, if it does then the values of that SessionID is gathered from the server and used as needed.

Using this, you can give state to your site.

I need to place a WARNING here:

It is widely known that using many session variables in a high volume site WILL effect server performance. If you are not expecting 1000 or so concurrent users, you may not notice a difference, UNLESS you are storing objects in the Session. You should avoid storing objects at all costs.

Back to the question...

Considering what we have briefly covered above, you should start to see the problem if the user does not have cookies enabled.

How does the server find the SessionID on the users cookies if they don't have them enabled? It doesn't.
You will not be able to maintain state from page to page using session variables if the user has cookies disabled.

While the user is on the page that just set the session variable, it will work. Move to another page and it will not.

This is why I said "Yes" and "NO".

Joe

** I almost forgot** While the Session Variable uses cookies in its process it can only destroy those cookies that it created.

A cookie is not a session variable and a session variable in not a cookie. It just uses one as a means to the end.

[This message has been edited by jbennett (edited 06-04-2001).]

Thanks for the very valuable lesson. Now I've really got the picture clear (and the pages working too!)

I guess the moral of this story is:

"If you you ain't got Cookies then don't come around to my site because you won't be able to do much there" Right?

I have a program (J-Bots) that checks to see if Cookies are enabled)Since having Cookies enabled is going to be a necessity to view and participate at this site, do you think that I should use this feature on the default page?

In other words when the user lands there, and the J-Bots thing detects Cookies are not enabled, should I have an alert pop up and tell the user that he should enable cookies if he wants to proceed? Is that a good idea?
(I could also have a greeting pop up that says welcome!) I think I can get it to work with no problem.
Thanks for all the help. Just think, Up until today I always thought of a Cookie as 2 round brown wafers with cream in between 'em!

Regards
CC

I would find out right away if they used cookies or not. After that, it is up to you. I am working on a project that expects a fairly large number of users (75K and up). We use cookies exclusively and will not be providing another way to use the site. At least until ASP.NET is out of beta.

Now I will give you a problem ...

You can do away with using cookies and Session Variables (unless you recklessly store Objects in the Session Variable).

You can use the querystring to hold user variables and pass that from page to page. Using this method, if a user does not have cookies enabled it would make no difference.

What's the catch? Well, the coding can be tedious. You have to assign all the variables to all querystrings that go to pages on your site. You would use either links or forms (use GET rather than POST). On every page, you would also have to pull the values of each variable from the querystring. Neither one of these tasks are difficult, but it can be a BIG pain in the neck to do all the detail work on each page. Once it is up though, it will work fine and you won't have any cookie issues at all.

You are limited to how much data the querystring can hold. I think some older browsers had a limit around 255 characters. Who knows about NetSuck?

Joe

[This message has been edited by jbennett (edited 06-04-2001).]

I love Problems! That's why I visit this place!

If I can avoid a lot of tedious work that would be great. As I was trying to get some sleep I thought of something, that if it could be implemented, will solve everything.

In all of my situations where there are protected pages there is a very first page with no protection on it at all. I need it there because all it does is ask for the User ID and a password.

On this page can I: (drum roll)

Check to see if cookies are enabled, if not, redirect. If so, how? And I'm good to go!
(Actually I have to check the J-Bots components, maybe they could do this, I'm at a different machine right now)

In order for the security to work on this site the way it is right now I still have to do something more in the event that cookies are not eneabled.

CC

Joe

I have the Spooky Login on the site. I've got everything working right now. Thanks for all of your help.

Best Regards
CC