|
Home > Archive > IIS Server Security > August 2004 > How exactly ASP page maintains session?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How exactly ASP page maintains session?
|
|
|
|
Hi,
I have the following scenario
Page A.asp call page B.asp
Page B.asp need to load page C.asp make some changes and return
the result to IE
when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp
How exactly ASP page maintains sessions?
How can pass the session from A to C using B
Note that b is in a different domain.
thanks
| |
| Evertjan. 2004-08-15, 7:47 am |
| Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> when A.asp is first running IIS create a session object
> and B.asp need to pass the session cookie(?) to C.asp
>
> How exactly ASP page maintains sessions?
> How can pass the session from A to C using B
>
> Note that b is in a different domain.
>
The session cookie is domain specific.
ASP-sessions are not "passed" from one page to the other.
If no session cookie is found a new session is placed.
If such cookie placing is deactivated [clientside = browser],
every page is a new session.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
|
| I know that,that is way I asked the question!!!
i assume the session ID(explorer unique id?) is passed in the HTTP request
so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.
thanks
"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns9546716A5AFE4eejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
>
>
> The session cookie is domain specific.
>
> ASP-sessions are not "passed" from one page to the other.
>
> If no session cookie is found a new session is placed.
>
> If such cookie placing is deactivated [clientside = browser],
> every page is a new session.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
| |
|
| Ha....what you ment to say that ASP create a special cookie which represent
the session
sent it to the client
and that cookie is sent to the server each request?
(and of course cookie is domain specific)
what if I get this cookie in page A and send it in the URL as a parameter to
page B?
thanks.
"Julia" <codewizard@012.net.il> wrote in message
news:%23euIerqgEHA.3476@tk2msftngp13.phx.gbl...
> I know that,that is way I asked the question!!!
> i assume the session ID(explorer unique id?) is passed in the HTTP request
> so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.
>
> thanks
>
> "Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
> news:Xns9546716A5AFE4eejj99@194.109.133.29...
>
>
| |
| Evertjan. 2004-08-15, 7:47 am |
| Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> "Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
> news:Xns9546716A5AFE4eejj99@194.109.133.29...
[please do not toppost on usenet]
[vbcol=seagreen]
> I know that,that is way I asked the question!!!
That is nice, but it would be helpful if you stated what you already know
IN the OQ. That way the risk of being ploncked or ignored is less.
> i assume the session ID(explorer unique id?)
No, not 'explorer unique'. It is a serverside generated ID, so unique to
the server only. It has nothing to do with the browser, but for the
browser filing and returning the ID.
> ... is passed in the HTTP
> request so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.
That would be a breach of security. Inter domain sessions are just not
the ASP way.
==========
Why not build it yourself using a serverside database and querystrings
with your own "session ID"?
This has been discused many times on this NG. Read the archives.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
|
| Thanks,
couple more question please
1.When B call C,than the server which host C generate a session ID for B as
well?
2.suppose in C.asp i am returning the SessionID to B and save it in a data
base
than when B call C again,can i transform the saved Id to the session
Cookie?
(put it into the HTTP hedaers?)
3." [please do not toppost on usenet]"- I don't understand.
"Why not build it yourself using a server database and querystrings
with your own "session ID"?"
A and C belongs to other organization,we are trying to plug additional
capabilities to their site
with as less as possible changes.
"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns95467ADE55F9Feejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
>
> [please do not toppost on usenet]
>
>
> That is nice, but it would be helpful if you stated what you already know
> IN the OQ. That way the risk of being ploncked or ignored is less.
>
>
> No, not 'explorer unique'. It is a serverside generated ID, so unique to
> the server only. It has nothing to do with the browser, but for the
> browser filing and returning the ID.
>
>
> That would be a breach of security. Inter domain sessions are just not
> the ASP way.
>
> ==========
>
> Why not build it yourself using a serverside database and querystrings
> with your own "session ID"?
>
> This has been discused many times on this NG. Read the archives.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
| |
| Evertjan. 2004-08-15, 7:47 am |
| Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> Ha....what you ment to say that ASP create a special cookie which
> represent the session
> sent it to the client
> and that cookie is sent to the server each request?
> (and of course cookie is domain specific)
>
> what if I get this cookie in page A and send it in the URL as a
> parameter to page B?
No, it has to go in the header of page b and be recognized by the asp
engine as a not timed out session.id given out by the page b asp engine.
Why not try it out by starting all three the pages with:
<%
if session("isStarted")<>"Yes!" then
response.write "New session started with this page"
session("isStarted")="Yes!"
else
response.write "Old session recognized, hurray!"
end if
%>
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
| Evertjan. 2004-08-15, 7:47 am |
| Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> 1.When B call C,than the server which host C generate a session ID for
> B as well?
[See my example code in the other posting]
Each session only has one session.id.
> 2.suppose in C.asp i am returning the SessionID to B and save
> it in a data base than when B call C again,can i transform
> the saved Id to the session Cookie? (put it into the HTTP hedaers?)
Do not try to do what is expressly excluded. You cannot access the
session cookie with clientside code. You cannot force an asp-server to
use a different session.id.
> 3." [please do not toppost on usenet]"- I don't understand.
Read up on topposting via google.
Topposting is fowned upon by many, including me.
<http://www.google.com/search?q=top.posting> 24.200 hits
> A and C belongs to other organization,we are trying to plug
> additional capabilities to their site with as less as possible changes.
So you only page B is under your control?
A and C are the same domain?
Are they asp?
Then their (A and C's) security should prevent you from meddling.
The only way to do what you want, IMHO, is data mining their pages and
reconstructing them as your own. Offering that to the web could be a
copyright infringement.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
| Jerry Pisk 2004-08-15, 5:50 pm |
|
"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns954687C9A6297eejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
>
> [See my example code in the other posting]
>
> Each session only has one session.id.
>
>
> Do not try to do what is expressly excluded. You cannot access the
> session cookie with clientside code. You cannot force an asp-server to
> use a different session.id.
Yes you can, why exactly not? Read up on DOM and how to use it in
JavaScript. If you do this successfully it's called session hi-jacking, and
is one of the simplest security attacks.
>
> Read up on topposting via google.
> Topposting is fowned upon by many, including me.
>
> <http://www.google.com/search?q=top.posting> 24.200 hits
Many, but most people do not give a damn. And mostly Europeans will educate
you on how badly you behave (do not top post, use the metric system, it's
just annoying).
>
> So you only page B is under your control?
> A and C are the same domain?
> Are they asp?
>
> Then their (A and C's) security should prevent you from meddling.
> The only way to do what you want, IMHO, is data mining their pages and
> reconstructing them as your own. Offering that to the web could be a
> copyright infringement.
Could but probably won't. The real problem is that each server envirenment
has its own cookies, so even if you force your server to use the same
session ID as the one you're trying to interact with you will fail, because
the other server will not know a session by that id (and vice versa).
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
Jerry
| |
| Evertjan. 2004-08-15, 5:50 pm |
| Jerry Pisk wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:
>
> Many, but most people do not give a damn. And mostly Europeans will
> educate you on how badly you behave (do not top post, use the metric
> system, it's just annoying).
I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.
However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that most
people think like you], I can sympatize that would be very annoying to you.
Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
| Jerry Pisk 2004-08-15, 5:50 pm |
|
"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns9546C4FAA694Deejj99@194.109.133.29...
> Jerry Pisk wrote on 15 aug 2004 in
> microsoft.public.inetserver.asp.general:
>
> I politely asked in this thread not to toppost, Jerry.
> I did not say that was bad behavour, I just frown upon it.
>
> However if you think that topposting is bad behavour on usenet, and that
> you do not give a damn [and even without any shown proof suggest that most
> people think like you], I can sympatize that would be very annoying to
> you.
I don't care about how people post. Top posting is a little easier to read
for me but others feel different. However, I don't feel the need to tell
others what to do.
> Do you feel the Europeans are your moral watchdogs?
> And also an inferiority feeling about inches, ounces and miles?
Same thing about units - who cares. They're just units. But every single
European I know ALWAYS mentions how great SI is and that everybody,
including stupid americans should switch. Nobody cares what you (or my smart
XXX European friends think), use whatever you want but let others use what
they want. In your case post how you want but let others do their own thing.
If you don't like it then don't read it. It's as simple as that.
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)
Jerry
| |
|
| That will do! - Amen.
dlbjr
Pleading sagacious indoctrination!
| |
| Bob Lehmann 2004-08-16, 2:50 am |
| So, if he posted in his native language, would that work for you?
What's your deal with Europeans anyway? Were you a badly behaving American
in a European country and not get your way?
Bob Lehmann
"Jerry Pisk" <jerryiii@hotmail.com> wrote in message
news:ufGv4jxgEHA.1276@TK2MSFTNGP09.phx.gbl...
>
> "Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
> news:Xns9546C4FAA694Deejj99@194.109.133.29...
most[vbcol=seagreen]
>
> I don't care about how people post. Top posting is a little easier to read
> for me but others feel different. However, I don't feel the need to tell
> others what to do.
>
>
> Same thing about units - who cares. They're just units. But every single
> European I know ALWAYS mentions how great SI is and that everybody,
> including stupid americans should switch. Nobody cares what you (or my
smart
> XXX European friends think), use whatever you want but let others use what
> they want. In your case post how you want but let others do their own
thing.
> If you don't like it then don't read it. It's as simple as that.
>
>
> Jerry
>
>
| |
| Evertjan. 2004-08-16, 2:50 am |
| Jerry Pisk wrote on 16 aug 2004 in microsoft.public.inetserver.asp.general:
Dear Jerry,
> They're just units. But every single
> European I know ALWAYS mentions how great SI is and that everybody,
> including stupid americans should switch.
You must have an inferiority complex about being an American [american?] or
something?
I thought this NG was about helping each other out on ASP related problems
and ideas.
However poining to widely, though not universally, accepted netiquette is
an necessity in each NG and so on topic.
However the unit question, started by you, is not part of that [but for the
yyyymmdd format], nor is your personal animosity against Europeans.
Even not mentioning explicitly that you are an "american" when posting
these above lines, which I surmize non the less in this context, as I do
that you are probably not an Canadian, is a bit strange. This is not an
English speaking only, as Bob rightly indicates elsewhere, or American NG
where others are just guests that should behave as such.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
| |
| Egbert Nierop \(MVP for IIS\) 2004-08-28, 2:48 am |
| "Julia" <codewizard@012.net.il> wrote in message
news:%23lZybZqgEHA.712@TK2MSFTNGP09.phx.gbl...
>
> Hi,
>
> I have the following scenario
>
> Page A.asp call page B.asp
> Page B.asp need to load page C.asp make some changes and return
> the result to IE
>
> when A.asp is first running IIS create a session object
> and B.asp need to pass the session cookie(?) to C.asp
>
> How exactly ASP page maintains sessions?
> How can pass the session from A to C using B
>
> Note that b is in a different domain.
If you want a solution that really works for diffent domains based on a
reference in the GUID you can have a look at
http://www.nieropwebconsult.nl/nocookieweb
but it requires you not to use cookies.
Another solution would be to use cookies on *both* domains, but on the page
that passes control to the other domain, you would use a
Session.ReEntrance = True 'this is a security sensitive operation
Response.Redirect ("otherdomain.com/mypage?guid="+ Session.SessionID )
'(resturns a GUID!)
more info
http://www.nieropwebconsult.nl/asp_session_manager.htm
> thanks
>
>
|
|
|
|
|