Accessing ASP.NET Session or Application under old ASP

[Ravi Ambros Wallau]

Guys:
Is there someway that allows a normal (and old) ASP page to access
Session _or_ Application data of an ASP.NET page?
I can't migrate this ASP page to ASP.NET. This ASP page loads an ISAPI
filter (msmdpump.dll), and I've tried a lot, but can't make this works in
ASP.NET.

Thanks,
Ravi.

 

[Brock Allen]

ASP and ASP.NET are two different HTTP processing environments. They don't
share any implementation of Session state. Your best bet is going to be to
store whatever data you want shared across your ASP and ASP.NET pages in
a database. Use a cookie to identify that user's data in the database.

 

[Ravi Ambros Wallau]

But this is trully even when the ASP page is inside an ASP.NET application
folder?
Using a cookie only isn't a security issue? If I check IP address of the
sender against the cookie, do I have the same security that I would obtain
using a session?
Thanks,
Ravi.

 

[Brock Allen]

But this is trully even when the ASP page is inside an ASP.NET

application folder?

Correct -- the ASP and ASPX file are in the same folder, but they are still
using two different application frameworks. Similar (on the surface, at least),
but different.

Using a cookie only isn't a security issue?

Yes, using a cookie is a security issue, unless you're running over SSL.
But that's no different that how it's always been using Sessions.

If I check IP address of the sender against the cookie, do I have the
same security that I would obtain using a session?

I don't know what this means. Cookies are no different that they used to
be. Cookies can be spoofed in ASP and in ASP.NET. That's why I suggest SSL.
And even with SSL, if I'm an attacker and I've somehow acquired someone else's
cookie I can present as if it were my own. Again, these issues are unrelated
to ASP or ASP.NET.

 

[Ravi Ambros Wallau]

Hello, Brook:
I'll do what you suggested:
1. The ASP.NET page generates a unique identifier, that is stored in a
database with sender's IP address;
2. After that, the ASP page is accessed. The ASP page check the
existence of the cookie, and then, in the database, verifies the existence
of this cookie and check the sender's IP address.
3. If permitted, then access is allowed - otherwise, not.

This is almost safe, I hope...

 

[Brock Allen]

I'll do what you suggested:

1. The ASP.NET page generates a unique identifier, that is stored
in a
database with sender's IP address;
2. After that, the ASP page is accessed. The ASP page check the
existence of the cookie, and then, in the database, verifies the
existence
of this cookie and check the sender's IP address.
3. If permitted, then access is allowed - otherwise, not.
This is almost safe, I hope...

I never suggested this

IP address is a bad thing to use to identify a user, since people can be
using a NAT or a proxy server. I wrote an app that logged all IP addresses
used by users and people using AOL as their ISP would have 10 different IPs
all in the span of a few requests.

Just issue a cookie and the cookie presented to the application should be
the user's identifier for their custom session data in your database.

 

[Ravi Ambros Wallau]

Well, checking IP address is not an extra effort...
I'll give that a shot!

Thanks, your support was great!