I have noticed that some websites ask for a password when you try to write on their forums or guestbooks. After entering the password, you can access anything in the website.

Are these websites cachin a variable after you enter the password/login right? Or are they using an application variable to make sure the user is legit?

None of the above? Maybe the programmers are simply using Request.Form("password") on every guestbook-forum?

Most likely they are creating either a cookie or a session that stores the user credentials and passes the okay to the other pages. After they log out, these cookies or sessions are deleted. Only cookies can pass after the user closes the browser and re-enters. Hopefully this helps!

The movie database doesn't let you access its forums if you have cookies disabled, so it is likely that they use cookies

when a user logs in a value has to be stored in a location related to that session, such as in the session object, a cookie or in the request each time, or even in the application object somehow.

however, while they all work you probably don't want to use most of them. security/being sensible comes in here.

storing it in the application object is silly when the session object is available.

storing it in either the request string or as a cookie is asking for trouble if your site is supposed to be secure (cookies can be edited by the pc user, as can the request).

so the best option is the session object because the variable is stored on the server and the user is not able to get at it directly. and it only exists for that user (the reason it's called the session object).

also, just to note that session does use a cookie as well. although it doesn't store the name/value pairs in it. instead it has a kind of key that the server matches up with the associated name/value pairs in its memory.

where ever you end up storing it, it will be looked at by all pages that require a login. then when the user logs off, either by clicking a "log off" button or the session timing out, the value is removed from where it was stored.

simple. :)