A simple application may be implemented as shown in the following figure.

Figure 1: Simple unified logic that runs in a single process and thread (Courtesy MSDN).

The above pseudo-code takes input from the client and based on the input executed different paths. Note that the input is taken at different points in the code. The state of the application/process is represented here by a simple string. Although this application development style is simple and easy to understand, it is not scalable. Imagine you are using such application logic for a hiring process where the inputs can come after days and even weeks. Your server would have to keep the process alive and running for this whole period. Imagine how much resources it would take to cater for thousands of users. What if the server fails during this period?

Considering these problems, lets look at another solution. This time round we separate the application logic at the freezing points (the input). Breaking the application logic allows the application to run as two different threads. This can solve a few of the problems described above.

Figure 2: Breaking the application logic (Courtesy MSDN).

Note that this time round the state is stored outside of the process in a database. The reason is that whenever the second process starts it needs to get the current state from some “persistent” store. Also note that the two application parts can now run on two different machines. Can you see a problem with this? The problem comes from the fact that it is hard for the second process to know whether the if was executed in the first part or the else (of course you would have to make this a part of the state). The point here is that the state becomes complex and we have to introduce a number of checks in the second part of the application.

The first figure is how our usual desktop applications run. they have their state stored in some memory variables that vanish as soon as the application ends. The applications which remember what you did last time have to save this state in some persistent storage. The second example is how ASP.NET applications work. The application logic is implemented in a distributed manner (on different pages). This not only makes it difficult for people to understand the process but also the programmer has to perform a series of checks whenever a page loads. It is also to be noted that the first type provides us unified logic whereas the second provides us scalability.

The Solution

Using windows workflows can help us solve these problems. WF function just as a normal program providing mechanism for input, output, control flow etc. However, all these are done with the help of activities, see diagram below.

Figure 3: In a workflow all the things are done with the help of activities (Courtesy MSDN)

As you can probably already see that unified logic is provided by workflows, let us see how WF solve the problem of scalability. All the work in the WF is done using activates, and as seen the WF provides all the elements of a usual programming language. The difference however is that all these activities are classes themselves, and they are executed on a WF Runtime which knows how to run these classes (activities).

Figure 3: WF Runtime executes activities in order (Courtesy MSDN).

When it begins the workflow runtime executes the outer most activity first, which in this case is a sequential workflow. Then it executes the activities one after the other in order determined by the workflow. One thing to note here is that the activities are objects, and therefore can be described in any language, making the workflow independent of the language. Also that the WF Runtime does not know anything about the internals of the activity it is executing, allow the programmer to fill in what is to be done. WF provides a Base Activity Library (BAL) from which you can pick activities to include in your workflow. You can also create activates of your own, called custom activities.

The big question arises, why go through all this pain? The first answer to this question has already been answered, it provides unified logic. However, to be scalable the server application cannot be stuck with one process. One solution to this is the ASP.NET way, i.a. to break the application logic down into small chunks, however this is something we are trying to avoid. Moreover, the programmer than has to explicitly deal with state. As you can probably notice this WF is already broken down into chunks, this allows the WF to persist (not block waiting for an event). When at the start of our example workflow, the workflow is waiting for input the WF Runtime realizes this and stores the state of the WF in a persistent storage (we say the WF persists). This allows for the server resources to be used elsewhere. When the input arrives the WF Runtime wakes up the WF.

Figure 5: The workflow can persist (Courtesy MSDN).

Another advantage of the workflow being broken down from the perspective of scalability is the ability of the WF to be run on different machines when it resumes, as shown in the following diagram.

Figure 6 Different parts of a workflow can run on different machines

Other Benefits

Other benefits of using windows workflows include the following

Coordinating Parallel Work

The WF allows you to coordinate parallel work in a better way by using the parallel activity which is part of BAL (More on this in later articles).

Figure 7 Workflows can run parallel activates (Courtesy MSDN).

Providing Tracking

Tracking processes is an important part of any business application. WF makes it extremely easy to do this by providing tracking services. The tracking services are extremely closely linked to persistence (state maintenance) because the state of the WF has all the information one needs for tracking a WF.

Figure 8 You can track the WF using tracking services (Courtesy MSDN).

Creating custom activities

WF allows you to create custom activities that you can re use as is suited to your business application, allowing to use OO concepts in WF.

Figure 9 You can create custom activities (Courtesy MSDN).

Fully Declarative Language

WFs are fully declarative as each workflow is represented by a corresponding XAML file.

Figure 10 WFs are fully declarative (Courtesy MSDN).

Related articles

http://msdn.microsoft.com/en-us/library/dd851337.aspx

Share on Facebook

Create an ASP.NET Application Using C# .NET

1. Open Visual Studio .NET.
2. Create a new ASP.NET Web application, and specify the name and location.

Configure the Security Settings in the Web.config File

This section demonstrates how to add and modify the <authentication> and <authorization> configuration sections to configure the ASP.NET application to use forms-based authentication.

1. In Solution Explorer, open the Web.config file.
2. Change the authentication mode to Forms.
3. Insert the <Forms> tag, and fill the appropriate attributes. Copy the following code, and then click Paste as HTML on the Edit menu to paste the code in the <authentication> section of the file:

   1: <authentication mode="Forms">

   2:    <forms name=".ASPXFORMSDEMO" loginUrl="logon.aspx" 

   3:    protection="All" path="/" timeout="30" />

   4: </authentication> 

   5:     

4. Deny access to the anonymous user in the <authorization> section as follows:

   1: <authorization>

   2:    <deny users ="?" />

   3:    <allow users = "*" />

   4: </authorization>

Create a Logon.aspx Page

1. Add a new Web Form to the project named Logon.aspx.
2. Open the Logon.aspx page in the editor, and switch to HTML view.
3. Copy the following code, and use the Paste as HTML option on the Edit menu to insert the code between the <form> tags:

   1: <h3>

   2:    <font face="Verdana">Logon Page</font>

   3: </h3>

   4: <table>

   5:    <tr>

   6:       <td>Email:</td>

   7:       <td><input id="txtUserName" type="text" runat="server"></td>

   8:       <td><ASP:RequiredFieldValidator ControlToValidate="txtUserName"

   9:            Display="Static" ErrorMessage="*" runat="server" 

  10:            ID="vUserName" /></td>

  11:    </tr>

  12:    <tr>

  13:       <td>Password:</td>

  14:       <td><input id="txtUserPass" type="password" runat="server"></td>

  15:       <td><ASP:RequiredFieldValidator ControlToValidate="txtUserPass"

  16:           Display="Static" ErrorMessage="*" runat="server" 

  17:           ID="vUserPass" />

  18:       </td>

  19:    </tr>

  20:    <tr>

  21:       <td>Persistent Cookie:</td>

  22:       <td><ASP:CheckBox id="chkPersistCookie" runat="server" autopostback="false" /></td>

  23:       <td></td>

  24:    </tr>

  25: </table>

  26: <input type="submit" Value="Logon" runat="server" ID="cmdLogin"><p></p>

  27: <asp:Label id="lblMsg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat="server" />

  28:                         

4. This Web Form is used to present a logon form to users so that they can provide their user name and password to log on to the application.
5. Switch to Design view, and save the page.

Code the Event Handler So That It Validates the User Credentials

This section presents the code that is placed in the code-behind page (Logon.aspx.cs).

1. Double-click Logon to open the Logon.aspx.cs file.
2. Import the required namespaces in the code-behind file:

   1: using System.Data.SqlClient;

   2: using System.Web.Security;

3. Create a ValidateUser function to validate the user credentials by looking in the database. (Make sure that you change the Connection string to point to your database).

   1: private bool ValidateUser( string userName, string passWord )

   2: {

   3:     SqlConnection conn;

   4:     SqlCommand cmd;

   5:     string lookupPassword = null;

   6:  

   7:     // Check for invalid userName.

   8:     // userName must not be null and must be between 1 and 15 characters.

   9:     if ( (  null == userName ) || ( 0 == userName.Length ) || ( userName.Length > 15 ) )

  10:     {

  11:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Input validation of userName failed." );

  12:         return false;

  13:     }

  14:  

  15:     // Check for invalid passWord.

  16:     // passWord must not be null and must be between 1 and 25 characters.

  17:     if ( (  null == passWord ) || ( 0 == passWord.Length ) || ( passWord.Length > 25 ) )

  18:     {

  19:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Input validation of passWord failed." );

  20:         return false;

  21:     }

  22:  

  23:     try

  24:     {

  25:         // Consult with your SQL Server administrator for an appropriate connection

  26:         // string to use to connect to your local SQL Server.

  27:         conn = new SqlConnection( "server=localhost;Integrated Security=SSPI;database=pubs" );

  28:         conn.Open();

  29:  

  30:         // Create SqlCommand to select pwd field from users table given supplied userName.

  31:         cmd = new SqlCommand( "Select pwd from users where uname=@userName", conn );

  32:         cmd.Parameters.Add( "@userName", SqlDbType.VarChar, 25 );

  33:         cmd.Parameters["@userName"].Value = userName;

  34:  

  35:         // Execute command and fetch pwd field into lookupPassword string.

  36:         lookupPassword = (string) cmd.ExecuteScalar();

  37:  

  38:         // Cleanup command and connection objects.

  39:         cmd.Dispose();

  40:         conn.Dispose();

  41:     }

  42:     catch ( Exception ex )

  43:     {

  44:         // Add error handling here for debugging.

  45:         // This error message should not be sent back to the caller.

  46:         System.Diagnostics.Trace.WriteLine( "[ValidateUser] Exception " + ex.Message );

  47:     }

  48:  

  49:     // If no password found, return false.

  50:     if ( null == lookupPassword ) 

  51:     {

  52:         // You could write failed login attempts here to event log for additional security.

  53:         return false;

  54:     }

  55:  

  56:     // Compare lookupPassword and input passWord, using a case-sensitive comparison.

  57:     return ( 0 == string.Compare( lookupPassword, passWord, false ) );

  58:  

  59: }

4. You can use one of two methods to generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event. Sample code is provided for both scenarios. Use either of them according to your requirement.
• Call the RedirectFromLoginPage method to automatically generate the forms authentication cookie and redirect the user to an appropriate page in the cmdLogin_ServerClick event:

   1: private void cmdLogin_ServerClick(object sender, System.EventArgs e)

   2: {

   3: if (ValidateUser(txtUserName.Value,txtUserPass.Value) )

   4:     FormsAuthentication.RedirectFromLoginPage(txtUserName.Value,

   5:         chkPersistCookie.Checked);

   6:     else

   7:         Response.Redirect("logon.aspx", true);

   8: }

• Generate the authentication ticket, encrypt it, create a cookie, add it to the response, and redirect the user. This gives you more control in how you create the cookie. You can also include custom data along with the FormsAuthenticationTicket in this case.

   1: private void cmdLogin_ServerClick(object sender, System.EventArgs e)

   2: {

   3:    if (ValidateUser(txtUserName.Value,txtUserPass.Value) )

   4:    {

   5:       FormsAuthenticationTicket tkt;

   6:       string cookiestr;

   7:       HttpCookie ck;

   8:       tkt = new FormsAuthenticationTicket(1, txtUserName.Value, DateTime.Now, 

   9: DateTime.Now.AddMinutes(30), chkPersistCookie.Checked, "your custom data");

  10:       cookiestr = FormsAuthentication.Encrypt(tkt);

  11:       ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);

  12:       if (chkPersistCookie.Checked)

  13:       ck.Expires=tkt.Expiration;    

  14:             ck.Path = FormsAuthentication.FormsCookiePath; 

  15:       Response.Cookies.Add(ck);

  16:  

  17:       string strRedirect;

  18:       strRedirect = Request["ReturnUrl"];

  19:       if (strRedirect==null)

  20:             strRedirect = "default.aspx";

  21:          Response.Redirect(strRedirect, true);

  22:    }

  23:    else

  24:       Response.Redirect("logon.aspx", true);

  25: }

5. Make sure that the following code is added to the InitializeComponent method in the code that the Web Form Designer generates:

   1: this.cmdLogin.ServerClick += new System.EventHandler(this.cmdLogin_ServerClick);

Create a Default.aspx Page

This section creates a test page to which users are redirected after they authenticate. If users browse to this page without first logging on to the application, they are redirected to the logon page.

1. Rename the existing WebForm1.aspx page as Default.aspx, and open it in the editor.
2. Switch to HTML view, and copy the following code between the <form> tags:

   1: <input type="submit" Value="SignOut" runat="server" id="cmdSignOut">

3. This button is used to log off the forms authentication session.
4. Switch to Design view, and save the page.
5. Import the required namespaces in the code-behind file:

   1: using System.Web.Security;

6. Double-click SignOut to open the code-behind page (Default.aspx.cs), and copy the following code in the cmdSignOut_ServerClick event handler:

   1: private void cmdSignOut_ServerClick(object sender, System.EventArgs e)

   2: {

   3:    FormsAuthentication.SignOut();

   4:    Response.Redirect("logon.aspx", true);

   5: }

7. Make sure that the following code is added to the InitializeComponent method in the code that the Web Form Designer generates:

   1: this.cmdSignOut.ServerClick += new System.EventHandler(this.cmdSignOut_ServerClick);

8. Save and compile the project. You can now use the application.

Share on Facebook

I will waste no time and get straight down to business. The tutorial is based on 6 easy steps.

Step 1:

Creating a table in the database.

I have created a very simple table that has only two columns; username and password.

Here is the SQL:

CREATE TABLE `userstable` (
`userName` varchar(20) NOT NULL default ”,
`password` varchar(20) NOT NULL default ”,
PRIMARY KEY  (`userName`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Step 2:

Create a connection to the database. Although the file below is meant only for a database connection I have taken the liberty of using it to save some general purpose settings as well.

//dbConfig.php

<?php
/*

• The config file for the database connection and variables
• change the database name and username and password
• /

//variables for the databse connection
$serverName = “localhost”;
$userName = “manager”;
$password = “”;
$dbName = “testdatabase”;

$conn = mysql_pconnect($serverName, $userName, $password);
if (!$conn)
{
//print error message, the echo command support html encodeing.
echo(’The connection to the database could not be established!’);
die(’The connection to the database could not be established!’);
}
else
{
// select the database which you wish to opereate
mysql_select_db($dbName);

}

// other variable
$loginSuccess = “phpMembersArea.php”;
$RegisterSuccess = “phpRegister.php?op=thanks”;
$loginRequired = “phpLogin.php?op=loginFirst”;
$timeout = 3600;
$authenticatioMethod = “cookie”;

function CheckLogin() {

// fucntion that checks if some is logged in or not
global $authenticatioMethod;
if (strcmp($authenticatioMethod ,”cookie”) == 0)//we have choosen to use cookies
{

if (!isset($_COOKIE["login"]))
{
return null;
}
else
{
return $_COOKIE["login"];

}
}
else// we are using session based authentication
{
if (!$_Session["userID"] || $_Session["valid_expire_time"] < time())
{
$_Session["userID"]  = null;
$_Session["valid_expire_time"] = time()-1;
session_destroy();
return null;
}
else
{
return $_Session["userID"];
}
}
return null;
}
function RedirectTo($url)
{
//I have to use this function because the php function header can only be called
// if no output has been sent
// this solution uses java scripts so beware
echo(’<script type=”text/javascript”> document.location = ”.$url.”; </script>’);
}
?>

Step 3:

Create a Registeration Page.

I provide a simple registeration page, where you can enter two fields, username and password.

//phpRegister.php
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<form action=”?op=register” method=”POST”>
Username: <input name=”userID” MAXLENGTH=”16″><br />
Password: <input type=”password” name=”password” MAXLENGTH=”16″><br />
<input type=”submit”>
</form>
<?php
// first we include the dbconfig file
// note that we do not need to open the connection
// when the file is included and this page is loaded, the code is automatically executed
echo(’hello’);
include (”dbConfig.php”);

/*

• Here is the plan of action, this is the page that contains the registeration form
• also this is the page that will connect to the database and execute the insert query
• so we need to know if the page is being run from a
• /

// we suppose that a variable named op would be passed with a value
// register if there is a registeration request.
if ($_GET["op"] == “register”)
{

if (!($userID = $_POST["userID"]) )
{
echo(’UserName field is missing!’);
}
else if (!($password = $_POST["password"]))
{
echo(’Password field is missing!’);
}

$query = “INSERT INTO `USERSTABLE` VALUES( ‘”.$_POST["userID"].”‘, Password(’”.$_POST["password"].”‘))”;
//note that my sql requires the password filed to be casted
// also note that . is the string concatenation operator
// also not the “ around the table name

$result = mysql_query($query, $conn);
//you can also redirect to a different page

if (!$result )
{
// make sure that the user was inserted
echo(’<br><h2>The user could not be inserted<br>’);
echo(’The error cant be displayed</h2>’);
}
else
{

REdirectTo($RegisterSuccess);
}

}
else if ($_GET["op"] == “thanks”)
{
echo(’<br><h2>The user was added successfully!</h2>’);
}
//The web form for input ability

?>
</body>
</html>

After this step you have successfully created a user account. All you need to do now is to create a login page.

Step 4:

The plan of action for our login page is that we pass it an query string argument, ‘op’ that dictates what the page does. If the value of this variable is ‘login’ the page gets the POST information and tries to login.

//phpLogin.php

<?php
include (’dbConfig.php’);
if ($_GET["op"] == “login”)//check if this is a login request
{
$query = “Select * from `userstable` where `userName`=’”.$_POST["userID"].”‘ AND `password`=Password(’”.$_POST["password"].”‘) “;

$result = mysql_query($query, $conn);
$obj = @mysql_fetch_object($result);
if ($obj)
{
// means sucessful login
$loginSucessful = 1;
//create session variables
// i will create both a login cookie
// and session variables
// and show how to use both for authentication

$_SESSION["valid_userID"] = $_POST["userID"];
$_SESSION["valide_time"] = time();
$_SESSION["valid_expire_time"] = time()+$timeout;

//set the cookies
//i create a cookie where i set the cookie information to the user name
// the userID can be encrypted also for better security.
setcookie(”login”, $_POST["userID"], time()+$timeout);

// create a cookie
}
else
{
$loginSucessful = 0;
}

if ($loginSucessful == 1)
{
//login has succeeded proceed to members area
if ($_GET["referrer"] )
{
// if we were sent to the login page due to some request of a members area page
// go to that page
RedirectTo($_POST["referrer"]);
}
else
{
RedirectTo($loginSuccess);
}
}
else
{
echo(’<br><h2>Login Information is not correct<br>’.$_POST["userID"].’ does not exist or password is incorrect</h2>’);
}
}
else if($_GET["op"] == “loginFirst”)
{
echo(’<br><h2>You must login first.</h2>’);
}
?>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<?php echo(” <form action=”?op=login” method=”POST”>”); ?>
<table>
<tr>
<td>
UserID:
</td>
<td>
<input type = “text” name=”userID” maxlength=”16″></td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type = “password” name=”password” maxlength=”16″></td>
</tr>
<tr>
<td>

</td>
<td>
<input type =”submit” name=”subit” maxlength=”16″></td>
</tr>
</table>
</form>

</body>
</html>

Caution: There must be nothing before the ‘<php’ at the start of the page, if there is something the cookie would not be created. It took me some time to figure this out. Keeping this in mind can save a lot of time. Even an empty line or a space can mess things up.

PS: When a members area page is accessed without being logged in, the page redirects to the login page giving it a ‘referrer’ argument. I however could not make it work, if anyone can help please look at:

<?php echo(” <form action=”?op=login” method=”POST”>”); ?>

I was trying to replace this with

<?php echo(” <form action=”?op=login&referrer=” . $_GET["referrer"]  . “” method=”POST”>”); ?>

However, whenever there was a valid referrer the username and password is not verified, the page works fine otherwise.

Step 5:

The members area page.

//phpMembersArea.php

<?php
session_start();
include (’dbConfig.php’);
$loggedInUser = CheckLogin();
if (!$loggedInUser)// no one is logged in
{
echo(’You are not logged in’);
RedirectTo(”phpLogin.php?referrer=phpMembersArea.php”);
}
else
{
echo(’<h2>Welcome ‘.$loggedInUser.’!</h2><br>’);
}
?>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
<h1>This is the members area</h1>
<br>
<br>
<a href = “phpLogout.php”>Logout</a>
<?php

?>
</body>
</html>

The page calls the CheckLogin() function defined in the dbConfig.php. This function checks the cookie or the session variable for login information. If this information is found the login proceeds otherwise the user is redirected to the login page.

Step 6:

The logout page simply deletes the cookie and the session.

//phpLogout.php

<?php
setcookie(”login”, “”, time()-100);
include (’DbConfig.php’);

RedirectTo(”index.php”);
?>
<!–
To change this template, choose Tools | Templates
and open the template in the editor.
–>
<!DOCTYPE HTML PUBLIC “-//W3C//DTD HTML 4.01 Transitional//EN”>
<html>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>
<title></title>
</head>
<body>
</body>
</html>

And there you go, you are done.

Share on Facebook

Although I assume a basic knowledge of what cookies and sessions are, we start with a quick review.

“HTTP cookies, more commonly referred to as Web cookies, tracking cookies or just cookies, are parcels of text sent by a server to a Web clientbrowser) and then sent back unchanged by client each time it accesses that server. HTTP cookies are used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts. The term “cookie” is derived from “magic cookie,” a well-known concept in UNIX computing which inspired both the idea and the name of HTTP cookies. Some alternatives to cookies exist, but each has its own uses, advantages, and drawbacks.” (usually a

– Wikipedia (http://en.wikipedia.org/wiki/HTTP_cookie)

“In computer science, in particular networking, a session is a semi-permanent interactive information exchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and torn down at a later point in time. An established communication session may involve more than one message in each direction. A session is typically, but not always, stateful, meaning that at least one of the communicating parts needs to save information about the session history in order to be able to communicate, as opposed to stateless communication, where the communication consists of independent requests with responses.

…

HTTP sessions, which may allow dynamic web pages, i.e. interactive web pages, as opposed to static web pages.”

–Wikipedia (http://en.wikipedia.org/wiki/Session_(computer_science))

“Server side web sessions

Server-side sessions are handy and efficient, but can become difficult to handle in conjunction with load-balancing/high-availability systems and are not usable at all in embedded systems with no storage. The load-balancing problem can be solved by using shared storage or by applying forced peering between each client and a single server in the cluster, although this can compromise system efficiency and load distribution.

A method of using server-side sessions in systems without mass-storage is to reserve a portion of RAM for storage of session data. This method is applicable for servers with a limited number of clients (e.g. router or access point with infrequent or disallowed access to more than one client at a time).

In the two scenarios above, using client-side sessions could provide advantages over server-side sessions: in the first case by removing the limitations applied to load-balancing algorithms (which usually translates to load distribution optimisation), and in the second case by allowing the use of sessions in web applications when server disk space or RAM is not available or sufficient for this storage.”

–Wikipedia (http://en.wikipedia.org/wiki/Session_(computer_science))

Now that we have enough insight into what server side and user side security and session maintenance means, we can get down to the business of comparing the two. As it is evident up to here that the server side security (web sessions) are far more secure. There is no information that can be changed by the user, unless of course your server is hacked but then “…you have a bigger fish to fry…”, log in sessions would be the leasat of your worries. The drawback however is that the server must maintain all the information of the sessions, that too in the RAM. This can be a considerable over head for the server, not to mention can degrade performance to a great extent and may even cause the server to run out of memory. On the other hand if the session variables are to be maintained jointly on the user system and the server, this over head is avoided. The problem however is that ’smart’ users can control what cookies they send, thereby compromising security. Forging cookies is the most common way the user accounts are hacked. I sill remember the enormous number of articles on the internet regarding hacking hotmail account using cookies till hotmail solved the problem*.

Cookie based security is the most widely used these days and seems to be the clear ‘practical’ winner in the face off. However, it clearly is less secure. So I put up these questions as some food for thought.

Since the main problem with server side security is that of memory use over head. What if web languages like PHP, C# etc provide a way to store the session information on permanent storage and implement a simple ‘cache’ like system to keep only the recently used information in the RAM (Though I would suggest that the recently used information be dicarded to permanent storage if needed). This would make the server a little slower but would surely be far more secure.

PS: * How did hotmail solve the problem?

Share on Facebook