I set a cookie for users before I redirect them to any company partner pages.
A web beacon is fired by our partners on their respective domains later at some point after the hand-off (for us to track referrals) to a handler which reads that cookie.
The following code works fine in Firefox, but IE8 and up (and possibly other versions) return null every time.
1) my domain -> aspx page sets cookie:
HttpCookie cookie = new HttpCookie(name);
cookie.Value = value;
cookie.Expires = DateTime.Now.AddDays(5);
Response.Cookies.Add(cookie);
//now redirect to partner page
2) partner domain -> fire web request through ajax or script tag implementation
<script type='text/javascript' src='http://mydomain.com/handler.ashx'></script>
3) my domain -> ashx handler receives request and attempts to read cookie in ProcessRequest
if (context.Request.Cookies[name]!=null){ //note use of handler context to access cookie
//get cookie Works with firefox FAILS with ie
}
I even added a p3p header to the handler to avoid the evil eye of IE's cookie-blocking Sauron in the status bar assuming a correlation. That did allow me to use session, but I need the persistence of a cookie for my purpose, so it was no help.
Update I performed the same test, but using an aspx page rather than ashx to rule out any handler issues. The problem still exists!
One other thing to note is that with both ashx and aspx called from 3rd party page, ie will still display the aforementioned 'Restricted Websites' eye icon, much the same way it does on this site when viewed in IE. (my privacy settings are set to the default of medium)
Related
Although Safari 5.1.7 for Windows is no longer supported by Apple, I am working on a web site that is required to be compatible with that browser. When the aspx page is served, I set a Session variable (InProc) in the PageLoad method. In the page, there are several image and video elements whose sources are of the form "/ContentHandler.ashx?k=something&z=somethingelse". The class definition starts with:
public class ContentHandler : IHttpHandler, IRequiresSessionState
When the request comes in for one of these files to the ProcessRequest method in ContentHandler.ashx, the context.Session is non-null, but the SessionID is completely different from what it was during the page load, and (therefore) the session variable I had set in the aspx PageLoad method is not present.
The mechanism works just fine in IE, Firefox, Chrome, and Opera - the session doesn't change and the session variable I set during page load is present and accounted for. Safari is the only one that is somehow causing a change of session when it requests one of these files through ContentHandler.ashx. Cookies are enabled in Safari, but my application doesn't explicitly use cookies.
Any thoughts on what might be causing this? I can probably work around it by explicitly using a cookie, but wanted to avoid using cookies if I don't have to.
Edit (additional details): The session id is stored automatically in an HttpOnly cookie named ASP.NET_SessionId. It does not appear in the query string. The issue is that, in Safari, that session ID is different when I get to the ashx handler, but in all the other browsers, the session ID is identical to the session ID where I set the session variable in the aspx page load method. The URL of the aspx page itself and the URLs of the individual images and videos are identical across all browsers. All browsers have cookies enabled.
Yet more details: I added a Global.asax file and placed some do-nothing code in the Session_Start method. Session_Start is called at the beginning as expected, but what I'm also seeing is that, after the aspx Page_Load has executed, Session_Start is called again before the request for the first image file shows up in the ashx handler. So, a new session is starting between the aspx Page_Load and the first individual file request to ashx. This second session is initiated only on Safari.
Yet still more details: I ran across a discussion about how Safari "forgets" session variables when it thinks it's dealing with a 3rd party cookie. So, I set the browser to accept all cookies (including 3rd party cookies), and the problem persists...by the time we get to the ashx handler, the session ID has already been changed.
Thanks.
I am unfamiliar with ASP but I need to link directly to a page on the http://carfueldata.direct.gov.uk/ website which I assume from the .aspx extension is built in it. My problem is that when a user first clicks on the link, the destination page immediately redirects them to the home page, presumably because there is some kind of user session required (?), I do not know. Not a good user experience for my visitors. The second time you follow the link it displays happily. The chances of my users following a link twice is slim.
Is there a standard URL parameter or something that I can append to tell the ASP platform to generate a user session and not redirect.
To see problem for yourself open this link in a new window, then close it, and repeat. First time it will redirect to home page. Second time does not: http://carfueldata.direct.gov.uk/search-new-or-used-cars.aspx?vid=30392
It looks like they are using session for this purpose. As far as I know there isn't any way to override this.
But you can do some work around for this.
Call jQuery ajax function to homepage and redirect on its complete event.
While calling the ajax function the cookie (ie session set) will be set on client's browser and after the ajax call redirect user to the page.( The page that won't allow users to visit directly)
Click to go
function LinkClick()
{
$.ajax({
type: "get",
url: "http://carfueldata.direct.gov.uk",
dataType: 'jsonp',
complete: function (msg) {
window.location.href=" http://carfueldata.direct.gov.uk/search-new-or-used-cars.aspx?vid=30392";
}
});
return false;
}
When you initially submit the request to the website, you receive a 302 status (moved (temporarily)) and a redirect to the home page. This is because there is no session ID cookie in your request. The redirect response from the server creates the session ID cookie for you and from then on, the site honours subsequent requests.
I don't know which client library you are using, but it should be possible to intercept the redirect request sent by the server, and replace the redirect URL to the homepage with your original request URL. Since the redirect response contains the session ID cookie, we can assume that the session has been created and your original request should work immediately without the redundant visit to the home page.
Due to cross domain issues, I decided to try a new workaround for detecting sessions between 2 of my domains. I assumed this process would work as I wasn't trying to set any cookies, and it works fine in chrome and firefox, but not in IE9.
I have stepped through in debug mode and the aspx page I request has no access to it's own Request.Cookies, whereas it does when I use chrome.
The process is:
On domain1, (an asp.net mvc application) the user logs in. As part of that login process, a cookie is set on that domain. If I then hit a test page on this server, I can see the cookie has been set.
On domain2 (an asp.net webforms app), I make a jQuery.ajax request to that test page on domain1, which is meant to check for the cookie and return an encrypted string.
When stepping through during this request to domain2 when called via ajax I can see the request.cookies collection is not populated. Frustratingly, User.Identity.IsAuthenticated is true, but I can't get access to the cookie I set.
Is this just another example of the whole cross domain security in action? To me it seems even making the ajax call using jsonp and all the other various hheaders etc, isn't going to help in this situation as it appears to be something more than that?
It seems that you're correct in your assumption. JQuery will by default not send cookies if its connected to a domain that is not the same as the domain the page is on.
You can try using the xhrFields from the JQuery API to perform the cross domain call.
$.ajax({
url: a_cross_domain_url,
xhrFields: {
withCredentials: true
}
});
http://api.jquery.com/jQuery.ajax/
Hope that helps!
Internet explorer is not keeping my authentication cookie after one page redirect.
Here is the situation:
I have an ASP.NET 2.0 web application running on a shared iis7 hosting. The application uses forms authentication to handle login and user identity and writing a cookie (.ASPXFORMSAUTH) on the client machine for that purpose.
in IE (checked with version 8, 9), from some locations, the authentication cookie is not being kept after the first page. The observed behavior is:
User name and password are submitted in login form
User is succesfuly redirected to the first-after-login page (and fiddler shows that the .ASPXFORMSAUTH cookie exists)
After clicking another link or hitting F5 for refresh, the user is credirected to login, and the authentication cookie (according to fiddler) doesn't exist anymore.
at the refresh / click, the authentication cookie is missing in the request headers.
This doesn't happen in Chrome / FF, and even in IE, it seems to be dependent on the location from which I am connected.
also, locally (using the internal dev server in VS2008), all works fine and reflects fine in fiddler as well.
I am banging my head at it for a few days now. Thought it may be some kind of a strange firewall problem, but couldn't determine anything conclusive.
Ideas will be appreciated.
IE suffers from a weird bug - for some reasons, if there are non-alphanumeric characters in the domain's name, IE won't persist cookies... and hence you'll have no persistent session between different calls.
Check if your domain has non-alphanumeric characters in it, such as test_domain or test-domain or the likes. Unfortunately, I don't know any fixes for this short of aliasing the incriminated domain or accessing it directly via the IP. The reason you've got no problems locally is that you're pointing to http://localhost, which is fine. As soon as you deploy to a non IE compliant domain you'll witness the problem.
Happened to me and it took hours to find out why. Hope this helps. Another reason to kill IE with fire.
My solution has been a combination of other solutions:
IE not saving asp.net authentication token / cookies
http://connect.microsoft.com/VisualStudio/feedback/details/662275/asp-net-user-agent-sniffing-and-ie10-internet-explorer-10
upgrade to .NET 4.0 adding the tag ticketCompatibilityMode="Framework40" in the web.xml: http://msdn.microsoft.com/en-us/library/1d3t3c61.aspx
Note that the real final solution was the 3rd.
Last but not least: once I set this flag above I had to change the logout method in the code behind because the old one did not logout any more:
protected void LoginStatusLink_LoggedOut(object sender, EventArgs e) {
// remove the authenticatation cookies from the browser
FormsAuthentication.SignOut();
// force a new 'expired' auth cookie
HttpCookie cookie = new HttpCookie(FormsAuthentication.FormsCookieName);
cookie.Expires = DateTime.Now.AddMonths(-1);
Response.Cookies.Add(cookie);
// delete roles cookie
Roles.DeleteCookie();
// clear and abandon session
Session.Clear();
Session.Abandon();
// this line just to leave (forget) the current page
this.Response.Redirect("~/");
}
1.try to create a persistant cookie
2.check your cookie settings for IE
Check the server's date. I had a situation where the server was 1 day behind the browser and so the authentication cookie essentially expired immediately. This affected IE, but not FF.
is there a way from a asp.net-page code behind with "Request.Redirect()" or another method to redirect to the last page (like Javascript history back)?
You can check the Request.UrlReferrer property, which will be set if the user has navigated to the given page from another one. This is nothing more than the HTTP Referrer header that a browser will set. This will be null if the user navigates to your page directly.
HTTP is stateless, so theres no way of being able to read the browsers history (on the server) in the same way that Javascript can (its client side).
However there are a couple of tricks you can use:
Javascript could write the URL into a textbox which gets submitted to the server
The last URL visited could be stored in session - which can be retreived on a later visit
If using the URL in session method, you'll probably want to code this into a HTTP handler (not module) and this will fire automatically on every request.
Obviously these will only work if the user has previously visited a page, and not directly.