Ok i have my security script and things like there name username and securitylevel are stored as sessions. would it be better for me to store whether they are allowed to edit sertain things etc as session or make db calls on the page to see if they have permission for that button to be placed?

I already have 5 session variables saved for each user and if i store more it will increase to 8 is it better to use them than database calls.

Yup, it's better to store as session. No mater how many session you have created (I tought).

But if you want to consider what I usualy do,
I use both for my security

This is my habits:

Usualy I make a file check_session.asp(or anything you like) that check username and password in the db.
Then I always include this file in every pages that need to be protected.

I stored username and password (or security level if you want) in session variables say Session("usr") and Session("pass").
And my check_session.asp shown bellow:

<%
Dim oRs, strSQL
strSQL = "select * from login where [username]='" & Session("usr") & "' and [password]='" & Session("pass") & "'"
Set oRs = cnDb.Execute (strSQL)
If oRs.EOF Then
Response.Redirect "login.asp"
Response.End
End If
%>

Think the advantages:

If you only use session variable, the thing you usualy do is check is the session empty?
like :
<%
If Session("usr") = "" Or Session("pass") = "" Then
Response.Redirect "login.asp"
End If
%>
have you ever thought :
If I know the file which protected of your site is update_user.asp, I might create a file to create a session manually called "mysession.asp".
Session variable of storing username or password usualy is username,usr,usr_name, user_name or anything that (say) hacker can figure it out easily.

mysession.asp file might be:
<%
Session ("usr") = "filled"
Session ("pass") = "filled too"
%>
After that, I might type in the address bar the file I knew in same browser which I run my "mysession.asp". So that I can access the page.

If you use a db calls, you should create login form in every page which is protected. It's not user friendly (I tought)

------------------------------------------------------------
sorry my english bad, i hope you understand (i from indonesia)

regard

lol great minds think alike i have this already lol created all by myself lol.

It was just me considering whether a db load or session load was worse.

I designed mine to have multi user access then each user has multiple different access levels to different things.

<!--#include file="Admin/testsecurity2.asp"-->
<% levelcheck(1)%>

that is all that i add to the top of my page and chage the value of levelcheck depending on how high the access level is.

Its a Non-Conformance reporting system that will allow anyone to create a NCR if they are in the db but only select few can edit it investigate it or do the QA on it. Working out well so far lol.

Also my security script since its all internal uses the xp username as the boss wanted a non login system that was also secure enough so this was ideal. (Although had all manner of trouble with ppl vpn into the server) one person works the other 3 we tried dont lol.

I would suggest you don't save the actual username and password as sessions variables. I would recommend logging in and if successful the create a sessionID code (using date + random number say) of a set number of characters (say 30 characters. Then you can just check :

if len(session("sessionID")) <> 30 then
response.redirect("login.asp")
end if

There's a potential security issue with session variables floating around that are actual logon details.

Not sure if this is for the intranet or internet, but in order for a users session variables to work the user has to allow cookies.

Its not that big of an issue but i did have a problem with a web site once where i stored information in a session variable and there were a few users who did not allow cookies thus the session variables could not be set.

That being the case you could always check to make sure that the user accepts cookies.

Its best to simply reference the user with a unique identifier. Zingmatters suggestion could be appropriate, though, I would generally stick with the primary key from your table for brevity.

Regards.

this is just intranet based.

There is no password floating around as it simply done through there username checking as server is never connected to the intranet this is not a big deal i totally understand security issues if it were on the net.

Whats a better use for storing information about user for checking on pages currently i store username but not sure why it going be removed. I simply have a figure 1-x that determines whether they can have access to that page or not or that button. Is this acceptable? As it is not passing any useful information about the user that can be used to access system. only thing i can think of is the security number for each page??