Article Discussion: Session Replacement in ASP

If you have any questions or comments about this article then please post them here!

It was an interesting article, but it's hard to see how I would scale such a solution beyond just the simple two-page site you described. The introduction seemed to promise a technique for replacing the Session object with a database, but it doesn't even come close. Creating a simple ID and tagging it onto the QueryString for a single link is trivial. How would I use this technique on an ASP app where dozens of links appear on each page, all pointing to various other internal pages in my ASP app? I would need some central routine to tag that querystring onto every link! Without that, this would quickly become unmanageable.

Also, the introduction seems to promise the ability to "replace" the Session object. It only shows a way to replace the session ID. What good is that without persisting the *data* that a user might otherwise put into the Session object? Suppose when the user logs in they indicate their first name is "Tom". Rather than do Session("FirstName") = "Tom" I would expect to find some routine to store this in the database, and later retrieve it. But there is none. How exactly have I replaced the Session object then?

- Tom

Thank you for finding my article interesting.

You are right that in order for this to work, you need to tag this querystring to all redirects in your asp application.
However, this is the only key you need to tag. So, instead of storing a lot of data in session objects, you use the database to collect all that information, with this key as the identifier.

I have used this approach successfully on our site. As long as you tag the sessionID to all the redirects, you have a good working solution with this approach which in my mind is better scalable than the session objects especially when you add more servers in a load balanced web farm.

Rogier,

It sounds like you have taken this principle much further in real life than this article! Excellent. I'd be interested to hear in later articles how you handled the management of adding the identifier string to all your links. In much of my work, our links are generated dynamically depending on the query the user has performed, and the screen they are looking at.

Also, it would be great to hear how you manage the collection and reinstantiation of the Session data on each page. For instance, do you retrieve just the pieces needed for each page, or pull up the whole lot and let the page use what it needs? Do you store just scalar variables, or do you store arrays, objects, collections and the like?

- Tom

Hi Tom,

We let the database do most of the work. To give you an example: We manage data for multiple customers, each with it's own set of data. The userID is tied to a specific customer, to ensure that each customer can only view and modify his or her data.

So in the user table we collect userID, password, customerID with the sessionID being the PK. Same as the example + a customerID field.

On login, when the database hands out a new uniqueidentifier for the session, we know which user and which customer.

Now as long as you ensure that for each query you add the uniqueidentifier, the database can figure out for which customer data needs to be displayed.

On the ASP side, we do not need more than the ID, since the rest is done on the database side. As long as you ensure you always pass the ID as stored procedure parameter and make the ID available. So as far as reinistantiation of the session data on the pages, there is not any in our case

Ah! This makes more sense now.

You can imagine my confusion, I guess. Everyone programs a bit differently, but for most folks (I would guess), the Session object is valuable mainly for the ability to create and use Session variables for each user. The existence of a Session ID that you can use to track things is useful but kind of incidental.

So when the article's title seemed to promise a technique to replace the Session object, I was excited to see how you would use a database to store and maintain and reinstantiate Session variable data. But that was not the intent of the article. Perhaps a more to-the-point title for the article would have been "Session ID Replacement in ASP?"

In any case, thanks for explaining...

- Tom

However, in the example the database takes care of the timeout value which comes in with the session variable.

We started out using session variables to store login information, and to check whether a user is logged in or not, reasons being to control how much idle time a user is allowed to have before the session should be considered closed, (Session.TimeOut) and whether a user is logged in or not.

That's why in the article the database checks the last update time, and our discussion above talks about the table which you access using the id.

If sSessionID = -1 Then
SMessage = "username or password invalid"
else
Response.Redirect ("home.asp?id=" & sSessionID)
end if

when ever the username and password is incorect, then the -1 will be returned by the stored procedure, and the "username of password invalid" message will be displayed.

However when my username and password is valid, sSessionID has no value in it. Totally empty.

Im new with asp. How is it solved.

I inserted the record into the table as in:

INSERT INTO tbl_users VALUES (NEWID(),"mama","papa",GetDate())