Using Session Variables

 

Introduction.  Previously in this course we have discussed how typical web interactions working at the most common level are stateless.  That is, the web server doesn't really maintain any information about any particular client from one request to the next.  We have also described how it can be important to maintain different types of persistent information for the web server.  For example, 
  • you want to know what sorts of purchases this customer has made in the past 
  • the client wants to move from one record to the next in a database
  • you want to maintain a customer list
  • you want to be able to easily update information that a client has just submitted

This list can go on and on.

There are several ways to maintain persistent information about a client or group of clients for web interactions.  The approach that we will develop in this web page relates to the Session object.  

The Session Object.  The Session object has been developed to maintain information on a user-by-user basis so that it can be accessed through any ASP page on your web site.  A Session object can store any kind of data type, from numbers to strings, arrays and even other objects.  

The Session object is used to maintain state only for the duration of the client's visit to the web site.  When each user comes to your site, memory on the web server is allocated to store the Session object for each user.  The memory is released if the user doesn't visit your web site for a certain length of time.  The time period is 10 minutes by default, but can be adjusted.  Each variable stored in the Sesion object is referred to as a Session Variable.

Now we will work using the Time( ) function to set a session variable and then observe how it persists.  The following is the code for TimeOfDaySession.asp.

<%@ Language=VBScript %>
<% Option Explicit %>

<html>
<font size=4><div align = center>
<P>The time of day is <%= Time() %> </P>
<% Session("TimeOfDay") = Time() %>
<P>The Session Variable TimeOfDay has beeen set = <%= Session("TimeOfDay") %> </P>
<P> 
<a href="TimeOfDayCompare.asp">Please wait a few mintues and then click on this link</a>
</P>
</div></FONT>
</html>

The meaning of the code will be discussed in class.

When you go to the web page you should see something like the following.

 

 

But before you can click on the link you need to make sure you have TimeOfDayCompare.asp, which contains the following code.

<%@ Language=VBScript %>
<% Option Explicit %>


<html>
<font size=4><div align = center>
<P>The time of day is <%= Time() %> </P>

<P>Now the Session Variable TimeOfDay is still <%= Session("TimeOfDay") %> </P>

</div></FONT>
</html>

After uploading this ASP and waiting a little while and clicking on the link you should see a screen like the following.

 

 

Now you should wait a while longer and then refresh the page.

Now you should close your browser and then open it back up and go directly to the TimeOfDayCompare.asp.  You are quite likely to get a blank for the Session Variable.

Improving the Login.asp.  Now we are going to work on improving the Login.asp to make use of session variables.  What you should do is enter the URL for your Members.html and notice that you have no trouble going directly to the page and entirely circumventing the login procedure.  How can this be improved?

What if we define a session variable that is checked right at the beginning of of the Members page.  You need to create a new ASP called MembersSecure.asp.  We need the ASP extension in order to get it to process correctly.  The code for this should be the following

<%@ Language=VBScript %>
<% Option Explicit %>

<% 
If Session("ValidUser") <> "TouchYou" Then
Response.Redirect "LoginSecure.html"
End If
%>

<HTML>
<BODY>
<font size = 4>Well let someone else get near you!
<BR>
You're definitely a member.</font>
</BODY>
</HTML>

Notice the little If - Then snippet at the beginning that checks for the value of the session variable ValidUser.  If it isn't correct then you are rerouted back to the LoginSecure.html form page.  This will make sure that someone passes through the login procedure.  The code for LoginSecure.html follows

<HTML>
<FORM METHOD=POST ACTION="ValidationSecure.asp">
<P>We need you to enter your member password <BR>in order to access the members pages.

<P>What is your member password?
<INPUT TYPE=password NAME=txtPassWord>

<P>
<INPUT TYPE=SUBMIT VALUE="Submit PassWord">
</FORM>
</HTML>

About the only real change is that the form information is posted to ValidationSecure.asp.  The code for this should be the following.

<%@ Language=VBScript %>
<% Option Explicit %>
<% Response.Buffer = True %>

<%
Dim strRealPass, strEnteredPass
strRealPass = "kilroy22"
strEnteredPass = Request.Form("txtPassWord")
If (strEnteredPass = strRealPass) Then

Session("ValidUser") = "TouchYou"
Response.Redirect "MembersSecure.asp"

Else

Response.Clear
Response.Write "<font size = 4>Invalid Password!" & "<BR></font>"
Response.Write "<font size = 4>You must be a registered member!" & "</font>"

End If
%>

<HTML>
<BODY>

<P><font size = 4><b><A HREF="LoginSecure.html">Try to login again!</A></b></font>

</BODY>
</HTML>

Notice the only real modification of this is to include a statement within the the part of the logic that handles correct logins.  If someone correctly uses the password then the session variable is set Session("ValidUser") = "TouchYou".

Now if you end your session and then try to go directly back to MembersSecure.asp you will not be able to circumvent the LoginSecure.html page.

This entire login procedure can be upgraded for individual users by using a database table for username and password information.