Recommended: Analysis of Web State Management of ASP Application Design Many developers never consider the concept of state before delivering applications to the web. As mentioned earlier, the Web is a stateless environment. Therefore, we should discuss what the state is and understand the methods that can avoid problems. The exact definition of status in a single user
Let's talk about session firstThe debate over SESSION seems to have never stopped, but more than 90 people who can understand SESSION should be accounted for.
But let me tell you, don't be old~
Some people agree with SESSION, while others disagree. But what exactly should I say about this question? Why not listen to my opinion
If there is any error please do not throw things to the point, except for gold bars and coins.
Some people should know that I am a man who works in Jianghu programs, and what I value in Jianghu programs is efficiency, but here I don’t talk about design,
Look at SESSION from some more practical perspectives.
First of all, we must first talk about what SESSION does. SESSION can store IEs with a certain user and through it
Any window that opens in the front window has a targeted user information storage mechanism. Why do you say that? Look at the following
First study how SESSION is started. After opening IE, you will issue an instruction to request SESSIONID to
and download permissions for various types of data, such as pictures, sounds and FLASH.
The actual data transmission content: IE to the server
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*
Accept-Language0: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.jh521.com
Connection: Keep-Alive
The server will return a SESSIONID that is not used for IE to use. At that time, IE will store the return SESSIONID.
And return the download data of the relevant page at the same time, as follows: Server to IE
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sun, 30 Nov 2003 16:41:51 GMT
Content-Length: 21174..Content-Type: text/html
Set-Cookie: ASPSESSIONIDCACBBBRT=IBOMFONAOJFEEBHBPIENJFFC; path=/
Cache-control: private
Then there is the page HTML code
At this time, the SESSIONID of this IE program (not the client) is IBOMFONAOJFEEBHBPIENJFFC
And when IE accesses any ASP program on this site, it will send IBOMFONAOJFEEBHBPIENJFFC
Give it to the server, and the server will know that IBOMFONAOJFEEBHBPIENJFFC is for you
Set SESSION(name)=name on the server
It can be regarded as
SESSION(IBOMFONAOJFEEBHBPIENJFFC)(name)=name
or
SESSION(SESSIONID)(name)=name
In this way, SESSION distinguishes users.
When the server feedbacks this ID, it will check whether the ID is used. If there is a change
Anyway, you won't be repeated, it's OK to simulate someone's SESSION ID to cheat. But to get
The other party's IE transmits a signal and can only be implemented if the SESSIONID is not cancelled at that time.
But if I had that time, I would directly find him NAME and PASS through the POST signal. I don't have to worry about this
I guess some people understand how SESSIONID works
Then let's take a look at COOKIE. Some people say that SESSIONID is COOKIE. Technically speaking, they are not of the same category.
However, it belongs to a working mode, where users and servers transmit private data
When I set COOKIE, the server will feedback an instruction to IE. IE generates COOKIE through this network instruction and
Store, this information will be obtained at a specific time, such as when accessing this site and COOKID is valid.
So why use COOKIE instead of SESSION
See the difference
Valid time and storage method to transfer content
COOKIE can set and retain explicit information locally
SESSION is not shut down in IE and the server does not time out only SESSIONID
If you want the user to log in to the website next time you do not need to enter a username or password, you can only use COOKIE.
Because he can keep it for quite a long time (before the COOKIE record is deleted or expired)
But SESSION is not possible, it will not keep it for too long, and IE will automatically clear the SESSIONID record after it is closed
The next time you log in, you will request a new SESSIONID
When the server wants to verify the user's status through the user's personal variable, it cannot use COOKIE
If you set user permissions, it is USER. When IE accesses, it transmits the USER code to the server.
So what if I use certain means, such as directly modifying the COOKIE record and modifying the USER to ADMIN~~
It's troublesome.
However, it is best to store information such as username and password or website color scheme.
OK, a little tired, I'm talking about this
Request.ServerVariables(HTTP_REFERER)
I think there are some people who pass this Request.ServerVariables(HTTP_REFERER)
to implement some key restrictions, especially against remote submissions and illegal trespassing.
Then I want to remind the server that the HTTP_REFERER information obtained is completely transmitted to the server by IE, and can be simulated.
And it is not difficult. You can use VB to create an HTTP_REFERER intrusion program in less than half an hour.
Share: ASP instance code: long article paging code setting method The following is the referenced content: <%Class aspxsky_page Private Sub class_initialize End Sub Public Function Alert(messa