I am redirecting from a classic ASP page to an ASP.Net page on a different webserver. The landing aspx page seems to start a new session after postback i.e. my session variables which are set when the page is first hit after the redirect, are being reset after a button on the page is clicked. How do I work around this? Thanks in advance.
You might want to read "How to Share Session State Between Classic ASP and ASP.NET".
But you should know from start, there's no way to just pass the sessions between asp and asp.net using the session-object in both of them.
Read the above article and you'll know all about it!
Microsoft has a page explaining how to share session data between classic ASP en ASP.NET.
You can find it here
OK, I had a look at the HTTP headers being sent to the server in each of the two cases: when redirecting from ASP and from ASP.Net. I noticed that in the case of ASP.Net a cookie was being sent ASP.Net_SessionID. This was not being sent from the ASP page. I did some reading and found out that you can set ASP.Net to run cookieless - http://msdn.microsoft.com/en-us/library/aa479314.aspx. I added the
sessionState cookieless="true"
to my web.config and all is well. Your assistance is much appreciated.
Related
We have a scenario at my work place where we need to post data from classic ASP page to ASP.Net form. Now this posting have some XSS vulnerabilities. I am just not sure how to resolve the issue. Scenario is classic ASP page post date to ASP.Net form which is a file inside MVC website. Then on page load event of that page, it gets all hidden variables values and create html from in Response and submit the same using frm.submit() JS code. So because of this middle asp.net page, it is open to attacks.
Any help appreciated.
Use Server.HTMLEncode() to encode the data written to your page if you're worried about XSS.
Is there a particular reason you rebuild this page at all? So long as you are using just the post method of the form on the classic asp page then you should not need to rebuild the form in .NET you could simply read the post response values.
Although this is pretty old, but I used AntiXSS library provided by Microsoft to prevent XSS.
Some part of my site is Asp and the other is Asp.Net.
I use session to save the information of current user in Asp pages.
However,the session is lost on redirecting to an Asp.net page.
Sometimes,the session would be saved in the first redirecting Asp.net page.
After a while, I click a button and find that session is still lost.
I am really confused about this situation.
How could this happen?
ps:
1.I have checked the time-out configuration, it seems to work well.
2.The cookie configuration in brower looks normal.
ASP and ASP.NET do not share Session state. They are completely different systems.
If you want to share Session state somehow between the two systems, you can use the method outlined in this article: http://msdn.microsoft.com/en-us/library/aa479313.aspx
we are developing into an asp classic application introducing new asp.net pages.
The session variables are shared through the login.asp, everything works fine...
The problem that we are facing now is that the asp classic session expires meanwhile the user is navigating the .net pages and tries to go again into an asp page... the session in asp has expired because the user has been browsing for more than 20 minutes the aspx pages.
Thanks in advance
Ariel Gimenez
May be you can keep your Classic ASP session alive when a user browse in a ASPX page by:
adding a hidden iframe in your ASPX page that load an ASP Page
' aspx page ....
<iframe src='keep_session.asp' style='display:none'></iframe>
OR use an AJAX post from your ASPX page every 10 minutes to an ASP page to keep the ASP session active
I think you can find interesting:
http://msdn.microsoft.com/en-us/library/aa479313.aspx
update
I think this is the key:
"The native ASP session can only store session data in memory. In order to store the session data to SQL Server, a custom Microsoft® Visual Basic® 6.0 COM object is written to manage the session state instead of using the native session object. This COM object will be instantiated in the beginning of each Web request and reload the session data from SQL Server. When the ASP script is finished, this object will be terminated and the session state will be persisted back to SQL Server."
Do you retrieve asp session from db too?
I can think of two ways around this:
Increase the session timeout setting to be longer then 20 minutes.
Add a redirect page between common pages of the .aspx navigation.
This would redirect to an asp page, and then on to the correct destination, ensuring the session object didn't timeout.
We have an extensive classic ASP site, and we're looking to upgrade to ASP .Net (most probably the latest version). Obviously upgrading all the pages at once would be a leviathan task, so we're only looking to write new pages (and page rewrites) in ASP .Net at first.
There are two obstacles to doing so:
I have no idea how to access classic ASP session data in ASP .Net. This would only have to be set up once, as it is never modified by any page other than the login page. I'd prefer to have to make minimal changes to the classic ASP login page, but that's only a small preference.
The ASP and ASP .Net sessions would have to timeout at the same time, to keep the version difference seamless.
Could anyone offer any help, please?
Thanks in advance.
We faced the same task (not fun). Since Asp.Net session and Asp session can't be shared, we used a combination of methods, each appropriate to the situation.
In some cases, we used cookies instead of session.
In others, we set up automatically posting forms so that if a user's session information was set in a classic ASP page, after the session info was set, we redirected to an Asp.Net page that read in query string parameters and used those to set the same session variables for Asp.Net. Then once the Asp.Net page set the same variables, that page did a redirect to whatever page the original login page previously pointed to. The same worked in reverse.
So, in the second scenario, an example flow would have changed from:
User tries to access some protected
content page -> redirected to login
page -> logs in -> session info set
based on login success -> redirected
back to content page.
to
User tries to access some protected
content page -> redirected to login
page -> logs in -> session info set
based on login success -> redirected
to a .net page, passing along login
credentials, etc. -> aspx page sets
session info and then immediately
redirects back to content page.
We knew it was a hack, but it worked in the short-term until we could get the sites all converted.
There might be a better way of doing this using newer IIS settings (must admit I've not kept up to date on what new goodies IIS7 can do). But you could do a XMLRequest from your ASP login page to a ASP.Net page. You could either pass through the settings you need in the Post data or have the .net page populate the session data itself if the logic is simple enough. The .net page would then return you a .net session id in the cookie, you need to set this in the ASP users cookie collection so that that user has both a .net and Classic ASP session cookie.
That would do it.
I implemented this a few years ago by using a database.
Microsoft have a pretty good article on it, though it's a little old at this point.
Okay, it’s an established fact that the Session object in ASP has no relation to the Session object in ASP.NET.
My question is this: If I have an ASP page, and it calls an ASPX page, which then does a Response.Redirect to another (or the same) ASP page, will the Session variables from the original ASP page be preserved in the final ASP page? Does anybody know the answer, or do I need to experiment and see?
will the Session variables from the
original ASP page be preserved in the
final ASP page?
Short answer: yes.
This is no different than if you left a page on your ASP site, used that browser window/tab to go to another site like Google, then came back. Your session will be preserved as long as it hasn't timed out or been collected, or any of the other standard things that can happen to invalidate a session.
The ASP and ASP.NET apps are effectively separate applications - almost separate sites, even if they live in the same folder structure - that happen to be running on the same server. They can't share data (without jumping through some hoops like storing things in a database) and aren't aware of each other.
One way to share session variables between asp and asp.net is: http://www.eggheadcafe.com/articles/20021207.asp
I don't believe your session variables will be destroyed unless you either close the browser or clear the session via code.
Yes, the session will exist in asp classic in most circumstances. A few things to consider though:
If the classic pages are not requested again before the SessionTimeout has been reached the instances will be destroyed
If you're running on IIS 7 and redirecting between SSL and non SSL pages there may be different sessions in classic depending on the site configuration properties