We have a website in classic asp that we are slowly migrating to ASP.NET as necessary.
The problem of course is how classic asp and ASP.NET handle Sessions. After spending the last few hours researching the web, I found many articles, but not one that stood out over the others.
Is there a best practice for transferring session variables from and to classic asp and asp.net? Security is a must and any explanation with examples is much appreciated.
A simple bridge to pass a single session variable from classic asp to .net serverside (hiding your sessionvalue from the client), would be this:
On the ASP end: An asp page to output your session, call it e.g. asp2netbridge.asp
<%
'Make sure it can be only called from local server '
if (request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR")) then
if (Request.QueryString("sessVar") <> "") then
response.write Session(Request.QueryString("sessVar"))
end if
end if
%>
On the .net end, a remote call to that asp page. :
private static string GetAspSession(string sessionValue)
{
HttpWebRequest _myRequest = (HttpWebRequest)WebRequest.Create(new Uri("http://yourdomain.com/asp2netbridge.asp?sessVar=" + sessionValue));
_myRequest.ContentType = "text/html";
_myRequest.Credentials = CredentialCache.DefaultCredentials;
if (_myRequest.CookieContainer == null)
_myRequest.CookieContainer = new CookieContainer();
foreach (string cookieKey in HttpContext.Current.Request.Cookies.Keys)
{
' it is absolutely necessary to pass the ASPSESSIONID cookie or you will start a new session ! '
if (cookieKey.StartsWith("ASPSESSIONID")) {
HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieKey.ToString()];
_myRequest.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, string.IsNullOrEmpty(cookie.Domain)
? HttpContext.Current.Request.Url.Host
: cookie.Domain));
}
}
try
{
HttpWebResponse _myWebResponse = (HttpWebResponse)_myRequest.GetResponse();
StreamReader sr = new StreamReader(_myWebResponse.GetResponseStream());
return sr.ReadToEnd();
}
catch (WebException we)
{
return we.Message;
}
}
I've used an ajax bridge (for want of a better term), specifically, a classic asp page that reads all session vars into a database with a guid, it then redirects to a .net page passing the guid in the querystring, the asp.net page reads from sql for the given guid and created those vars as sessions.
Eg, in classic asp (pseudocode code - just to give you an idea, use parameterised queries in yours etc):
'#### Create GUID
Dim GUID 'as string
GUID = CreateWindowsGUID() '#### Lots of methods on http://support.microsoft.com/kb/320375
'#### Save session to sql
For Each SessionVar In Session.Contents
db.execute("INSERT INTO SessionBridge (GUID, Key, Value) VALUES ('" & GUID & "', '" & SessionVar & "', '" & session(SessionVar) & "')")
Next
Then, in a .net page:
'#### Fetch GUID
Dim GUID as string = Request.QueryString("GUID")
session.clear
'#### Fetch from SQL
db.execute(RS, "SELECT * FROM SessionBridge WHERE GUID = '" & GUID & "'")
For Each db_row as datarow in RS.rows
Session(db_row("Key")) = db_row("Value")
Next
As i say, this is very rough pseudocode, but you can call the asp with a simple background ajax function, then call the .net page for the given GUID.
This has the advantage of not exposing all your vars and values to the client (as post methods do etc).
They use different sessions, so you'll need to devise some way of transferring the vars yourself. You could include them in cookies, or send them via HTTP POST (i.e. a form with hidden fields) to the asp.net side.
Alternatively, you could scrap using session storage and stick everything in a database for each user/session, then just pass a session key from classic ASP to ASP.NET via one of the above suggestions. I know this sounds like you're reinventing the wheel, but this might be one of those cases where you just can't get around it.
I have a website that does that exact action. The secret is to use an intermediate page with the asp function response.redirect
<%
client_id = session("client_id")
response.redirect "aspx_page.aspx?client_id=" & client_id
%>
This is an example to pull the classic asp session variable client_id and pass it to an aspx page. Your aspx page will need to process it from there.
This needs to be at the top of a classic asp page, with no HTML of any type above. IIS will process this on the server and redirect to the aspx page with the attached query string, without sending the data to the client machine. It's very fast.
In case anyone else stumbles here looking for some help, another possible option is to use cookies. The benefit of a cookie is that you can store reasonable amounts of data and then persist that data to your .Net application (or another web application). There are security risks with exposing a cookie since that data can be easily manipulated or faked. I would not send sensitive data in a cookie. Here the cookie is only storing a unique identifier that can be used to retrieve data from a table.
The approach:
Grab the session data you need from your classic asp page. Store
this data in a table along with a unique hash and a timestamp.
Store the value of the hash in a short-lived cookie.
Redirect to whatever page you need to go and read the hash in the cookie.
Check that the hash in the cookie hasn't expired in the database. If it is valid, send back the data you need to your page and then expire the hash so it can't be reused.
I used a SHA 256 hash that was a combination of the user's unique identifier, session ID, and current timestamp. The hash is valid for only a few minutes and is expired upon reading. The idea is to limit the window for an attacker who would need to guess a valid hash before it expired.
Related
I have a simple question. I have two different projects like
http://login.mydomain.com
and
http://test.mydomain.com
. As it's name suggests, I login from login project and response redirect to test project.
I am able to create cookie for login.mydomain.com but I can not read it from test.mydoamin.com.
My question is can I create cookie from login.mydomain.com to www.mydomain.com and read it from test.mydomain.com as if I am reading it from www.mydomain.com.
This is how I create my cookies.
Response.Cookies["UserValidForMyDomain"].Value = myvalue;
Response.Cookies["UserValidForMyDomain"].Expires = dtExpireDate;
and how I read them.
string myValue = Request.Cookies["UserValidForMyDomain"].Value;
No, but you can create a wildcard cookie for the domain of .mydomain.com which will allow any subdomain to read/write it.
TO WRITE
HttpCookie hc = new HttpCookie("key", "value");
hc.Domain = ".mydomain.com";
hc.Expires = DateTime.Now.AddMonths(3);
HttpContext.Current.Response.Cookies.Add(hc);
TO READ
HttpContext.Current.Request.Cookies["key"].Value
In php this will do session_set_cookie_params
In asp and equivalent, these stackoverflow thread might be usefull
How to share session among Multiple Domains on single asp.net website?
How can you keep a session across multiple subdomains in c# mvc?
I am trying to send form data from one page to another using C# ASP.Net. I have two pages default.aspx and default2.aspx.Here is the code I have in default.aspx:
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<br />
<asp:TextBox ID="TextBox2" runat="server"></asp:TextBox>
<br />
<asp:Button ID="Button1" runat="server" Text="Go"
PostBackUrl="~/Default2.aspx" />
<br />
From what I know so far the PostBackUrl is used to set the page in which you want the data to be sent is this correct?
Also how can I retrieve the data that is sent to Default2.aspx?
You have a few options, consider
Session state
Query string
Session state
If you are going to send data between pages, you could consider the use of Session State.
ASP.NET session state enables you to store and retrieve values for a
user as the user navigates ASP.NET pages in a Web application. HTTP is
a stateless protocol. This means that a Web server treats each HTTP
request for a page as an independent request. The server retains no
knowledge of variable values that were used during previous requests.
ASP.NET session state identifies requests from the same browser during
a limited time window as a session, and provides a way to persist
variable values for the duration of that session. By default, ASP.NET
session state is enabled for all ASP.NET applications.
Best of all, it is easy!
Put data in (for example on default1.aspx)
Session["FirstName"] = FirstNameTextBox.Text;
Session["LastName"] = LastNameTextBox.Text;
Get it out (for example on default2.aspx)
string firstname = Session["FirstName"] // value of FirstNameTextBox.Text;
string lastname = Session["LastName"] // value of LastNameTextBox.Text;
Query string
If you are sending small amounts of data (eg id=4), it may be more practical to use query string variables.
You should explore the use of the query string variables, e.g.
http://www.domain.com?param1=data1¶m2=data2
You can then get the data out like
string param1 = Request.QueryString["param1"]; // value will be data1
string param2 = Request.QueryString["param2"]; // value will be data2
You can use something like How do you test your Request.QueryString[] variables? to get the data out.
If you are unfamiliar with querystring variables check out their wikipedia article
Session variables can be useful in this context.
Foe example suppose your textboxes contain login credentials, then save them in sessions so that you can later use them in any other page. Like this:
In Button_Click-
Session["name"]=TextBox1.Text;
Session["pwd"]= TextBox2.Text;
Instead of PostBackUrl="~/Default2.aspx" you can write the following-
//in button click
Server.Transfer("~/Default2.aspx");
In Default2.aspx page load:
string a= Session["name"].ToString();
string b= Session["pwd"].ToString();
Try this in the Page_Load of Default2.aspx.
if (PreviousPage != null)
{
if (((TextBox)PreviousPage.FindControl("TextBox1")) != null)
{
string txtBox1 = ((TextBox)PreviousPage.FindControl("TextBox1")).Text;
Response.Write(txtBox1);
}
}
And yes you are correct, the data from page 1 will be sent to page 2 if you use the PostBackUrl attribute.
MSDN link
While all the answers here will work some aren't the most efficient. Why would a simple/standard http POST have to invoke (expensive) server-side Sessions?
Your code isn't doing anything special - it is simply POSTing a form to another page. All you need to do to obtain the POSTed data is go through the Request.Form collection.
Prior to the availability to set the PostBackUrl (if memory serves version 1 of asp.net), Server.Transfer and getting references to the previous page was how cross-page POSTing was done/documented. However, with PostBackUrl, things go back to basics, the way it should be - a standard http POST from one resource to another.
Here's a similar SO thread that maybe helpful.
another way is to save the data on a database and fetch it back on the other page:
//update
string query = "UPDATE table SET col = 'a'";
SqlCommand command = new SqlCommand(query, connection);
command.ExecuteScalar();
//select
string query = "SELECT col FROM table";
SqlCommand command = new SqlCommand(query, connection);
string value = command.ExecuteScalar();
I have a web form of Asp.Net, in which I want JavaScript to count how many time i have refreshed the page.
If you want to do it on clientside just save (and retrieve) the information on localstorage every time load event occurs
Do you want to count this per user ? Or for whole application ?
If you are doing for whole application you can use application variable in Global.asax on each page request . But that might get lost if your application recycles .
If you want to do for each user You can use server side sessions or cookies on clientside .
You can set the value in a cookie using js or asp, or in a session value (for a single user) or in application value (for all the users), is not necessary javascript.
You have to put this code server side on page load.
For all users:
Application["refresh_count"] =
Convert.ToInt64(HttpContext.Current.Application["refresh_count"]) + 1;
For a single user with session:
Session["refresh_count"] = Convert.ToInt64(Session["refresh_count"]) + 1;
OR
Response.Cookies["UserSettings"]["refresh_count"] = Convert.ToInt64(Response.Cookies["UserSettings"]["refresh_count"]) + 1;
Response.Cookies["UserSettings"].Expires = DateTime.Now.AddDays(1d);
You can save this in the Session Object.
You can use jQuery calling prepared address.
For example:
$.ajax({
url: ".../countPageRefreshes.aspx",
data: { page: "thisPageAddress" }
})
Then, in countPageRefreshes you can increase number of times, page was refreshed and save it somewhere.
I am using ASP.net 3.5 w/ C# using SQL Server with Session State stored in the SQL Server DB.
I have an issue with losing session state across multiple domains, but using the same browser instance and same code base.
For example, We are directing customers to www.MyStore.com to browse our store and we want to send customers to www.MyStore.ShopPlatform.com to checkout w/ secure SSL validation. The session is being re-created when re-directed to www.MyStore.ShopPlatform.com.
The wildcard SSL is installed at www.ShopPlatform.com.
So, The question is.... How do you associate 1 session state cookie to multiple domains (www.MyStore.com and www.MyStore.ShopPlatform.com) on the same server using .net?
If you use cookies for session, you don't. The browser won't send cookies to domains that don't match, and you can't set a cookie for all domains. Even if you could, the session cookie is just a key to server-side session and that key doesn't mean anything without access to the session store. A third party won't have that.
If www.mystore.com and www.mystore.shopplatform.com happen to both be backed by machines you own, and both machines have access to the same session store, then you might be able to use a Cookieless ASP.NET Session config to make it work.
Generally speaking, you can't use session this way.
Since both domains are different, new sessions will always get created.
I suggest using a shared database approach.
Have a column created in users table that can store a random hash. A datatype of uniqueidentifier should do.
When redirecting user, generate a new GUID and store it for the current user and then append the same to the url being redirected. At the receiving domain, setup an endpoint page that will accept an URL encoded path and query string as ReturnUrl parameter and a tokenId parameter for the guid.
Here is a dummy code that will redirect the user to a public endpoint along with a dummy query string parameter. The code was hosted on domain1.local
Using ctx As New DataContexts.SBWebs
Dim u As DataEntities.User = (From usr In ctx.Users Where usr.User.Equals(Page.User.Identity.Name) Select usr).FirstOrDefault
If u Is Nothing Then Exit Sub
Dim id As Guid = Guid.NewGuid
u.Token = id
ctx.SubmitChanges()
Dim newPath As String = "/protected/?tick=" & Now.Ticks
Response.Redirect(String.Format("http://www.domain2.local/EndPoint.aspx?tokenid={0}&ReturnUrl={1}", id.ToString, HttpUtility.UrlEncode(newPath)))
End Using
And the EndPoint.aspx contains the following code..
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Request.QueryString.HasKeys AndAlso Not String.IsNullOrEmpty(Request.QueryString("tokenid")) Then
Using ctx As New DataContexts.SBWebs
Dim usr As DataEntities.User = (From u In ctx.Users Where u.Token.Equals(Request.QueryString("tokenid"))).FirstOrDefault
If usr Is Nothing Then Exit Sub
usr.Token = Nothing
ctx.SubmitChanges()
FormsAuthentication.RedirectFromLoginPage(usr.User, False)
End Using
End If
End Sub
On Security Note: Once the cookie is created, remove the GUID from the table to protect against REPLAY attacks.
EDIT:
Just a word of caution. Don't send user to a ASP.Net protected page (where Deny="?" or something like that is given). Redirect the user to a public end-point that can handle the tokenid and after the setting the cookie, redirect to the intended page.
Ok, i have simple scenario:
have two pages:
login and welcome pages.
im using FormsAuthentication with my own table that has four columns: ID, UserName, Password, FullName
When pressed login im setting my username like:
FormsAuthentication.SetAuthCookie(userName, rememberMe ?? false);
on the welcome page i cant use:
Page.User.Identity.Name
to provide to user which user currently logged, BUT i dont user username like at all examples in http://asp.net web site i want to user FullName field
i think that always go to db and request fullname when page loads its crazy and dont like to user Sessions or Simple Cookie mayby FormsAuth provider has custom fields for this
I would store the user's full name in the session cookie after your call to FormsAuth
FormsAuth.SetAuthCookie(userName, rememberme);
// get the full name (ex "John Doe") from the datbase here during login
string fullName = "John Doe";
Response.Cookies["FullName"].Value = fullName;
Response.Cookies["FullName"].expires = DateTime.Now.AddDays(30);
and then retrieve it in your view pages via:
string fullName = HttpContext.Current.Request.Cookies["FullName"].Value
Forms authentication works using cookies. You could construct your own auth cookie and put the full name in it, but I think I would go with putting it into the session. If you use a cookie of any sort, you'll need to extract the name from it each time. Tying it to the session seems more natural and makes it easy for you to access. I agree that it seems a waste to go back to the DB every time and I would certainly cache the value somewhere.
Info on constructing your own forms authentication cookie can be found here.
Sorry I'm a little late to the party, but here's how you can do this without storing the value anywhere else :)
var authCookieKey = FormsAuthentication.FormsCookieName;
var responseCookies = HttpContext.Current.Response.Cookies;
var requestCookies = HttpContext.Current.Request.Cookies;
var aspxAuthCookieInResponse = responseCookies.AllKeys.Contains(authCookieKey) ? responseCookies[authCookieKey] : null;
var aspxAuthCookieInRequest = requestCookies.AllKeys.Contains(authCookieKey) ? requestCookies[authCookieKey] : null;
// Take ASPXAUTH cookie from either response or request.
var cookie = aspxAuthCookieInResponse ?? aspxAuthCookieInRequest;
var authTicket = FormsAuthentication.Decrypt(cookie.Value); // Todo: Check for nulls.
// Using the name!
var userName = authTicket.Name;
There are no custom fields for forms authentication. You'll just have to use session. That's what it's there for you know. ;) Just don't forget - forms authentication cookie and session are two independant things. They even each have their own timeouts. So the session won't be reset when a user logs out unless you do so yourself.
What about using Profiles to store the extra info with the User?
The simplest option is to use the session. By default session state is stored in memory and will be lost when the ASP.NET worker process recycles, however you can configure it to use state service instead, which retains session info in a separate process:
http://msdn.microsoft.com/en-us/library/ms178586.aspx
Another option would be to use profiles. As it sounds like you already have 'profile' information stored in your own tables, you'd probably have to write a custom provider for it so it's a more complex solution.