Hi,

I have the following scenario

Page A.asp call page B.asp
Page B.asp need to load page C.asp make some changes and return
the result to IE

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

thanks

[ Post a follow-up to this message ]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

> when A.asp is first running IIS create a session object
> and B.asp need to pass the session cookie(?) to C.asp
>
> How exactly ASP page maintains sessions?
> How can pass the session from A to C using B
>
> Note that b is in a different domain.
>

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

I know that,that is way I asked the question!!!
i assume the session ID(explorer unique id?) is passed in the HTTP request
so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

thanks

"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns9546716A5AFE4eejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> 
>
> The session cookie is domain specific.
>
> ASP-sessions are not "passed" from one page to the other.
>
> If no session cookie is found a new session is placed.
>
> If such cookie placing is deactivated [clientside = browser],
> every page is a new session.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

Ha....what you ment to say that ASP create a special cookie which represent
the session
sent it to the client
and that cookie is sent to the server each request?
(and of course cookie is domain specific)

what if I get this cookie in page A and send it in the URL as a parameter to
page B?

thanks.


"Julia" <codewizard@012.net.il> wrote in message
news:%23euIerqgEHA.3476@tk2msftngp13.phx.gbl...
> I know that,that is way I asked the question!!!
> i assume the session ID(explorer unique id?) is passed in the HTTP request
> so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.
>
> thanks
>
> "Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
> news:Xns9546716A5AFE4eejj99@194.109.133.29... 
>
>

[ Post a follow-up to this message ]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> "Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
> news:Xns9546716A5AFE4eejj99@194.109.133.29... 

[please do not toppost on usenet]
[vbcol=seagreen]
> I know that,that is way I asked the question!!!

That is nice, but it would be helpful if you stated what you already know
IN the OQ. That way the risk of being ploncked or ignored is less.

> i assume the session ID(explorer unique id?)

No, not 'explorer unique'. It is a serverside generated ID, so unique to
the server only. It has nothing to do with the browser, but for the
browser filing and returning the ID.

> ... is passed in the HTTP
> request so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.

That would be a breach of security. Inter domain sessions are just not
the ASP way.

==========

Why not build it yourself using a serverside database and querystrings
with your own "session ID"?

This has been discused many times on this NG. Read the archives.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

Thanks,
couple  more question please

1.When B call C,than the server which host C generate a session ID for B as
well?

2.suppose in C.asp i am returning the SessionID to B and save it in a data
base
than when B call C again,can i transform the saved Id to the session
Cookie?
(put it into the HTTP hedaers?)

3." [please do not toppost on usenet]"- I don't understand.


"Why not build it yourself using a server database and querystrings
with your own "session ID"?"

A and C belongs to other organization,we are trying to plug additional
capabilities to their site
with as less as possible changes.




"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns95467ADE55F9Feejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general: 
>
> [please do not toppost on usenet]
> 
>
> That is nice, but it would be helpful if you stated what you already know
> IN the OQ. That way the risk of being ploncked or ignored is less.
> 
>
> No, not 'explorer unique'. It is a serverside generated ID, so unique to
> the server only. It has nothing to do with the browser, but for the
> browser filing and returning the ID.
> 
>
> That would be a breach of security. Inter domain sessions are just not
> the ASP way.
>
> ==========
>
> Why not build it yourself using a serverside database and querystrings
> with your own "session ID"?
>
> This has been discused many times on this NG. Read the archives.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

> Ha....what you ment to say that ASP create a special cookie which
> represent the session
> sent it to the client
> and that cookie is sent to the server each request?
> (and of course cookie is domain specific)
>
> what if I get this cookie in page A and send it in the URL as a
> parameter to page B?

No, it has to go in the header of page b and be recognized by the asp
engine as a not timed out session.id given out by the page b asp engine.


Why not try it out by starting all three the pages with:


<%
if session("isStarted")<>"Yes!" then
response.write "New session started with this page"
session("isStarted")="Yes!"
else
response.write "Old session recognized, hurray!"
end if
%>


--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
> 1.When B call C,than the server which host C generate a session ID for
> B as well?

[See my example code in the other posting]

Each session only has one session.id.

> 2.suppose in C.asp i am returning the SessionID to B and save
> it in a data base than when B call C again,can i transform
> the saved Id to the session Cookie? (put it into the HTTP hedaers?)

Do not try to do what is expressly excluded. You cannot access the
session cookie with clientside code. You cannot force an asp-server to
use a different session.id.

> 3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.posting> 24.200 hits
 
> A and C belongs to other organization,we are trying to plug
> additional capabilities to their site with as less as possible changes.

So you only page B is under your control?
A and C are the same domain?
Are they asp?

Then their (A and C's) security should prevent you from meddling.
The only way to do what you want, IMHO, is data mining their pages and
reconstructing them as your own. Offering that to the web could be a
copyright infringement.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]

"Evertjan." <exjxw.hannivoort@interxnl.net> wrote in message
news:Xns954687C9A6297eejj99@194.109.133.29...
> Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general: 
>
> [See my example code in the other posting]
>
> Each session only has one session.id.
> 
>
> Do not try to do what is expressly excluded. You cannot access the
> session cookie with clientside code. You cannot force an asp-server to
> use a different session.id.

Yes you can, why exactly not? Read up on DOM and how to use it in
JavaScript. If you do this successfully it's called session hi-jacking, and
is one of the simplest security attacks.
 
>
> Read up on topposting via google.
> Topposting is fowned upon by many, including me.
>
> <http://www.google.com/search?q=top.posting> 24.200 hits

Many, but most people do not give a damn. And mostly Europeans will educate
you on how badly you behave (do not top post, use the metric system, it's
just annoying).
 
>
> So you only page B is under your control?
> A and C are the same domain?
> Are they asp?
>
> Then their (A and C's) security should prevent you from meddling.
> The only way to do what you want, IMHO, is data mining their pages and
> reconstructing them as your own. Offering that to the web could be a
> copyright infringement.

Could but probably won't. The real problem is that each server envirenment
has its own cookies, so even if you force your server to use the same
session ID as the one you're trying to interact with you will fail, because
the other server will not know a session by that id (and vice versa).

> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)

Jerry

[ Post a follow-up to this message ]

Jerry Pisk wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general: 
>
> Many, but most people do not give a damn. And mostly Europeans will
> educate you on how badly you behave (do not top post, use the metric
> system, it's just annoying).

I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.

However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that mo
st
people think like you], I can sympatize that would be very annoying to you.

Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

[ Post a follow-up to this message ]