HTA Login Script
As far as i'm aware, HTA files will not run ASP code before they are sent to the client machine, so no ASP scripts will work. So far I have been using Ajax to run ASP code and just return the results.
I'm making a page that needs the user to be logged in, but it seems that the session is being destroyed when the http response is returned, which means the user is no longer logged in.
Can anyone suggest to me a login system for an HTA page?
I wonder if you could fool the system?
Use web.config to specify that xxx.hta is actually processed via the page xxx.asp??
From the browser's point of view, it would still be seen as ".hta".
I've never mucked with HTA so can't help you with that, per se.
Then I will use the HTA file to use ajax and request the asp page, which in turn will run the ASP Server Code before it is returned to the HTA.
Another way to do it, if you want a bit more security: Use a cookie *only* to hold an encrypted sessionid (string or number, whatever, but encrypted). This is, of course, how ASP does it already: Only the sessionid is encrypted and stored in a cookie.
Then you manage your own "session variables" in one of two ways:
(1) Use a database. Use the un-encrypted sessionid as the record identifier of the table that holds the session variables. Your table design could be as simple as
So to store a session "variable" you would do
CREATE TABLE sessions (
where 3371 is the unencrypted session id.
INSERT INTO sessions VALUES( 3371, 'username', 'bob' );
INSERT INTO sessions VALUES( 3371, 'password', 'zamboni' );
(2) The same thing, but you use application variables to hold the session info. You could keep each user's session info in a 2D array and then store the entire array in a single application variable. Thus:
Since each users application key (their sessionid) would be different, you wouldn't even need to worry about locking.
sessioninfo(0,0) = "name" : sessioninfo(0,1) = "bob"
sessioninfo(1,0) = "password" : sessioninfo(1,1) = "zamboni"
application("3371") = sessioninfo
The "trick" with either of the above is that you need a way to expire a session so you can expunge the data from the DB or Application contents.