How exactly ASP page maintains session?

Discussion in 'ASP General' started by Julia, Aug 15, 2004.

  1. Julia

    Julia Guest

    Hi,

    I have the following scenario

    Page A.asp call page B.asp
    Page B.asp need to load page C.asp make some changes and return
    the result to IE

    when A.asp is first running IIS create a session object
    and B.asp need to pass the session cookie(?) to C.asp

    How exactly ASP page maintains sessions?
    How can pass the session from A to C using B

    Note that b is in a different domain.

    thanks
     
    Julia, Aug 15, 2004
    #1
    1. Advertising

  2. Julia

    Evertjan. Guest

    Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

    > when A.asp is first running IIS create a session object
    > and B.asp need to pass the session cookie(?) to C.asp
    >
    > How exactly ASP page maintains sessions?
    > How can pass the session from A to C using B
    >
    > Note that b is in a different domain.
    >


    The session cookie is domain specific.

    ASP-sessions are not "passed" from one page to the other.

    If no session cookie is found a new session is placed.

    If such cookie placing is deactivated [clientside = browser],
    every page is a new session.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 15, 2004
    #2
    1. Advertising

  3. Julia

    Julia Guest

    I know that,that is way I asked the question!!!
    i assume the session ID(explorer unique id?) is passed in the HTTP request
    so I wonder if I can some how extract it using ISAPI or other.
    and thant pass it to the other page.

    thanks

    "Evertjan." <> wrote in message
    news:Xns9546716A5AFE4eejj99@194.109.133.29...
    > Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    >
    > > when A.asp is first running IIS create a session object
    > > and B.asp need to pass the session cookie(?) to C.asp
    > >
    > > How exactly ASP page maintains sessions?
    > > How can pass the session from A to C using B
    > >
    > > Note that b is in a different domain.
    > >

    >
    > The session cookie is domain specific.
    >
    > ASP-sessions are not "passed" from one page to the other.
    >
    > If no session cookie is found a new session is placed.
    >
    > If such cookie placing is deactivated [clientside = browser],
    > every page is a new session.
    >
    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)
     
    Julia, Aug 15, 2004
    #3
  4. Julia

    Julia Guest

    Ha....what you ment to say that ASP create a special cookie which represent
    the session
    sent it to the client
    and that cookie is sent to the server each request?
    (and of course cookie is domain specific)

    what if I get this cookie in page A and send it in the URL as a parameter to
    page B?

    thanks.


    "Julia" <> wrote in message
    news:%...
    > I know that,that is way I asked the question!!!
    > i assume the session ID(explorer unique id?) is passed in the HTTP request
    > so I wonder if I can some how extract it using ISAPI or other.
    > and thant pass it to the other page.
    >
    > thanks
    >
    > "Evertjan." <> wrote in message
    > news:Xns9546716A5AFE4eejj99@194.109.133.29...
    > > Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    > >
    > > > when A.asp is first running IIS create a session object
    > > > and B.asp need to pass the session cookie(?) to C.asp
    > > >
    > > > How exactly ASP page maintains sessions?
    > > > How can pass the session from A to C using B
    > > >
    > > > Note that b is in a different domain.
    > > >

    > >
    > > The session cookie is domain specific.
    > >
    > > ASP-sessions are not "passed" from one page to the other.
    > >
    > > If no session cookie is found a new session is placed.
    > >
    > > If such cookie placing is deactivated [clientside = browser],
    > > every page is a new session.
    > >
    > > --
    > > Evertjan.
    > > The Netherlands.
    > > (Please change the x'es to dots in my emailaddress)

    >
    >
     
    Julia, Aug 15, 2004
    #4
  5. Julia

    Evertjan. Guest

    Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    > "Evertjan." <> wrote in message
    > news:Xns9546716A5AFE4eejj99@194.109.133.29...
    >> Julia wrote on 15 aug 2004 in
    >> microsoft.public.inetserver.asp.general:
    >>
    >> > when A.asp is first running IIS create a session object
    >> > and B.asp need to pass the session cookie(?) to C.asp
    >> >
    >> > How exactly ASP page maintains sessions?
    >> > How can pass the session from A to C using B
    >> >
    >> > Note that b is in a different domain.
    >> >

    >>
    >> The session cookie is domain specific.
    >>
    >> ASP-sessions are not "passed" from one page to the other.
    >>
    >> If no session cookie is found a new session is placed.
    >>
    >> If such cookie placing is deactivated [clientside = browser],
    >> every page is a new session.


    [please do not toppost on usenet]

    > I know that,that is way I asked the question!!!


    That is nice, but it would be helpful if you stated what you already know
    IN the OQ. That way the risk of being ploncked or ignored is less.

    > i assume the session ID(explorer unique id?)


    No, not 'explorer unique'. It is a serverside generated ID, so unique to
    the server only. It has nothing to do with the browser, but for the
    browser filing and returning the ID.

    > ... is passed in the HTTP
    > request so I wonder if I can some how extract it using ISAPI or other.
    > and thant pass it to the other page.


    That would be a breach of security. Inter domain sessions are just not
    the ASP way.

    ==========

    Why not build it yourself using a serverside database and querystrings
    with your own "session ID"?

    This has been discused many times on this NG. Read the archives.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 15, 2004
    #5
  6. Julia

    Julia Guest

    Thanks,
    couple more question please

    1.When B call C,than the server which host C generate a session ID for B as
    well?

    2.suppose in C.asp i am returning the SessionID to B and save it in a data
    base
    than when B call C again,can i transform the saved Id to the session
    Cookie?
    (put it into the HTTP hedaers?)

    3." [please do not toppost on usenet]"- I don't understand.


    "Why not build it yourself using a server database and querystrings
    with your own "session ID"?"

    A and C belongs to other organization,we are trying to plug additional
    capabilities to their site
    with as less as possible changes.




    "Evertjan." <> wrote in message
    news:Xns95467ADE55F9Feejj99@194.109.133.29...
    > Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    > > "Evertjan." <> wrote in message
    > > news:Xns9546716A5AFE4eejj99@194.109.133.29...
    > >> Julia wrote on 15 aug 2004 in
    > >> microsoft.public.inetserver.asp.general:
    > >>
    > >> > when A.asp is first running IIS create a session object
    > >> > and B.asp need to pass the session cookie(?) to C.asp
    > >> >
    > >> > How exactly ASP page maintains sessions?
    > >> > How can pass the session from A to C using B
    > >> >
    > >> > Note that b is in a different domain.
    > >> >
    > >>
    > >> The session cookie is domain specific.
    > >>
    > >> ASP-sessions are not "passed" from one page to the other.
    > >>
    > >> If no session cookie is found a new session is placed.
    > >>
    > >> If such cookie placing is deactivated [clientside = browser],
    > >> every page is a new session.

    >
    > [please do not toppost on usenet]
    >
    > > I know that,that is way I asked the question!!!

    >
    > That is nice, but it would be helpful if you stated what you already know
    > IN the OQ. That way the risk of being ploncked or ignored is less.
    >
    > > i assume the session ID(explorer unique id?)

    >
    > No, not 'explorer unique'. It is a serverside generated ID, so unique to
    > the server only. It has nothing to do with the browser, but for the
    > browser filing and returning the ID.
    >
    > > ... is passed in the HTTP
    > > request so I wonder if I can some how extract it using ISAPI or other.
    > > and thant pass it to the other page.

    >
    > That would be a breach of security. Inter domain sessions are just not
    > the ASP way.
    >
    > ==========
    >
    > Why not build it yourself using a serverside database and querystrings
    > with your own "session ID"?
    >
    > This has been discused many times on this NG. Read the archives.
    >
    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)
     
    Julia, Aug 15, 2004
    #6
  7. Julia

    Evertjan. Guest

    Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

    > Ha....what you ment to say that ASP create a special cookie which
    > represent the session
    > sent it to the client
    > and that cookie is sent to the server each request?
    > (and of course cookie is domain specific)
    >
    > what if I get this cookie in page A and send it in the URL as a
    > parameter to page B?


    No, it has to go in the header of page b and be recognized by the asp
    engine as a not timed out session.id given out by the page b asp engine.


    Why not try it out by starting all three the pages with:


    <%
    if session("isStarted")<>"Yes!" then
    response.write "New session started with this page"
    session("isStarted")="Yes!"
    else
    response.write "Old session recognized, hurray!"
    end if
    %>


    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 15, 2004
    #7
  8. Julia

    Evertjan. Guest

    Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    > 1.When B call C,than the server which host C generate a session ID for
    > B as well?


    [See my example code in the other posting]

    Each session only has one session.id.

    > 2.suppose in C.asp i am returning the SessionID to B and save
    > it in a data base than when B call C again,can i transform
    > the saved Id to the session Cookie? (put it into the HTTP hedaers?)


    Do not try to do what is expressly excluded. You cannot access the
    session cookie with clientside code. You cannot force an asp-server to
    use a different session.id.

    > 3." [please do not toppost on usenet]"- I don't understand.


    Read up on topposting via google.
    Topposting is fowned upon by many, including me.

    <http://www.google.com/search?q=top.posting> 24.200 hits

    >> "Why not build it yourself using a server database and
    >> querystrings with your own "session ID"?"

    > A and C belongs to other organization,we are trying to plug
    > additional capabilities to their site with as less as possible changes.


    So you only page B is under your control?
    A and C are the same domain?
    Are they asp?

    Then their (A and C's) security should prevent you from meddling.
    The only way to do what you want, IMHO, is data mining their pages and
    reconstructing them as your own. Offering that to the web could be a
    copyright infringement.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 15, 2004
    #8
  9. Julia

    Jerry Pisk Guest

    "Evertjan." <> wrote in message
    news:Xns954687C9A6297eejj99@194.109.133.29...
    > Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:
    >> 1.When B call C,than the server which host C generate a session ID for
    >> B as well?

    >
    > [See my example code in the other posting]
    >
    > Each session only has one session.id.
    >
    >> 2.suppose in C.asp i am returning the SessionID to B and save
    >> it in a data base than when B call C again,can i transform
    >> the saved Id to the session Cookie? (put it into the HTTP hedaers?)

    >
    > Do not try to do what is expressly excluded. You cannot access the
    > session cookie with clientside code. You cannot force an asp-server to
    > use a different session.id.


    Yes you can, why exactly not? Read up on DOM and how to use it in
    JavaScript. If you do this successfully it's called session hi-jacking, and
    is one of the simplest security attacks.

    >> 3." [please do not toppost on usenet]"- I don't understand.

    >
    > Read up on topposting via google.
    > Topposting is fowned upon by many, including me.
    >
    > <http://www.google.com/search?q=top.posting> 24.200 hits


    Many, but most people do not give a damn. And mostly Europeans will educate
    you on how badly you behave (do not top post, use the metric system, it's
    just annoying).

    >>> "Why not build it yourself using a server database and
    >>> querystrings with your own "session ID"?"

    >> A and C belongs to other organization,we are trying to plug
    >> additional capabilities to their site with as less as possible changes.

    >
    > So you only page B is under your control?
    > A and C are the same domain?
    > Are they asp?
    >
    > Then their (A and C's) security should prevent you from meddling.
    > The only way to do what you want, IMHO, is data mining their pages and
    > reconstructing them as your own. Offering that to the web could be a
    > copyright infringement.


    Could but probably won't. The real problem is that each server envirenment
    has its own cookies, so even if you force your server to use the same
    session ID as the one you're trying to interact with you will fail, because
    the other server will not know a session by that id (and vice versa).

    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)


    Jerry
     
    Jerry Pisk, Aug 15, 2004
    #9
  10. Julia

    Evertjan. Guest

    Jerry Pisk wrote on 15 aug 2004 in
    microsoft.public.inetserver.asp.general:
    >>> 3." [please do not toppost on usenet]"- I don't understand.

    >>
    >> Read up on topposting via google.
    >> Topposting is fowned upon by many, including me.
    >>
    >> <http://www.google.com/search?q=top.posting> 24.200 hits

    >
    > Many, but most people do not give a damn. And mostly Europeans will
    > educate you on how badly you behave (do not top post, use the metric
    > system, it's just annoying).


    I politely asked in this thread not to toppost, Jerry.
    I did not say that was bad behavour, I just frown upon it.

    However if you think that topposting is bad behavour on usenet, and that
    you do not give a damn [and even without any shown proof suggest that most
    people think like you], I can sympatize that would be very annoying to you.

    Do you feel the Europeans are your moral watchdogs?
    And also an inferiority feeling about inches, ounces and miles?

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 15, 2004
    #10
  11. Julia

    Jerry Pisk Guest

    "Evertjan." <> wrote in message
    news:Xns9546C4FAA694Deejj99@194.109.133.29...
    > Jerry Pisk wrote on 15 aug 2004 in
    > microsoft.public.inetserver.asp.general:
    >>>> 3." [please do not toppost on usenet]"- I don't understand.
    >>>
    >>> Read up on topposting via google.
    >>> Topposting is fowned upon by many, including me.
    >>>
    >>> <http://www.google.com/search?q=top.posting> 24.200 hits

    >>
    >> Many, but most people do not give a damn. And mostly Europeans will
    >> educate you on how badly you behave (do not top post, use the metric
    >> system, it's just annoying).

    >
    > I politely asked in this thread not to toppost, Jerry.
    > I did not say that was bad behavour, I just frown upon it.
    >
    > However if you think that topposting is bad behavour on usenet, and that
    > you do not give a damn [and even without any shown proof suggest that most
    > people think like you], I can sympatize that would be very annoying to
    > you.


    I don't care about how people post. Top posting is a little easier to read
    for me but others feel different. However, I don't feel the need to tell
    others what to do.

    > Do you feel the Europeans are your moral watchdogs?
    > And also an inferiority feeling about inches, ounces and miles?


    Same thing about units - who cares. They're just units. But every single
    European I know ALWAYS mentions how great SI is and that everybody,
    including stupid americans should switch. Nobody cares what you (or my smart
    ass European friends think), use whatever you want but let others use what
    they want. In your case post how you want but let others do their own thing.
    If you don't like it then don't read it. It's as simple as that.

    > --
    > Evertjan.
    > The Netherlands.
    > (Please change the x'es to dots in my emailaddress)


    Jerry
     
    Jerry Pisk, Aug 15, 2004
    #11
  12. Julia

    dlbjr Guest

    That will do! - Amen.


    dlbjr
    Pleading sagacious indoctrination!
     
    dlbjr, Aug 15, 2004
    #12
  13. Julia

    Bob Lehmann Guest

    So, if he posted in his native language, would that work for you?

    What's your deal with Europeans anyway? Were you a badly behaving American
    in a European country and not get your way?

    Bob Lehmann

    "Jerry Pisk" <> wrote in message
    news:...
    >
    > "Evertjan." <> wrote in message
    > news:Xns9546C4FAA694Deejj99@194.109.133.29...
    > > Jerry Pisk wrote on 15 aug 2004 in
    > > microsoft.public.inetserver.asp.general:
    > >>>> 3." [please do not toppost on usenet]"- I don't understand.
    > >>>
    > >>> Read up on topposting via google.
    > >>> Topposting is fowned upon by many, including me.
    > >>>
    > >>> <http://www.google.com/search?q=top.posting> 24.200 hits
    > >>
    > >> Many, but most people do not give a damn. And mostly Europeans will
    > >> educate you on how badly you behave (do not top post, use the metric
    > >> system, it's just annoying).

    > >
    > > I politely asked in this thread not to toppost, Jerry.
    > > I did not say that was bad behavour, I just frown upon it.
    > >
    > > However if you think that topposting is bad behavour on usenet, and that
    > > you do not give a damn [and even without any shown proof suggest that

    most
    > > people think like you], I can sympatize that would be very annoying to
    > > you.

    >
    > I don't care about how people post. Top posting is a little easier to read
    > for me but others feel different. However, I don't feel the need to tell
    > others what to do.
    >
    > > Do you feel the Europeans are your moral watchdogs?
    > > And also an inferiority feeling about inches, ounces and miles?

    >
    > Same thing about units - who cares. They're just units. But every single
    > European I know ALWAYS mentions how great SI is and that everybody,
    > including stupid americans should switch. Nobody cares what you (or my

    smart
    > ass European friends think), use whatever you want but let others use what
    > they want. In your case post how you want but let others do their own

    thing.
    > If you don't like it then don't read it. It's as simple as that.
    >
    > > --
    > > Evertjan.
    > > The Netherlands.
    > > (Please change the x'es to dots in my emailaddress)

    >
    > Jerry
    >
    >
     
    Bob Lehmann, Aug 16, 2004
    #13
  14. Julia

    Evertjan. Guest

    Jerry Pisk wrote on 16 aug 2004 in microsoft.public.inetserver.asp.general:

    Dear Jerry,

    > They're just units. But every single
    > European I know ALWAYS mentions how great SI is and that everybody,
    > including stupid americans should switch.


    You must have an inferiority complex about being an American [american?] or
    something?

    I thought this NG was about helping each other out on ASP related problems
    and ideas.

    However poining to widely, though not universally, accepted netiquette is
    an necessity in each NG and so on topic.

    However the unit question, started by you, is not part of that [but for the
    yyyymmdd format], nor is your personal animosity against Europeans.

    Even not mentioning explicitly that you are an "american" when posting
    these above lines, which I surmize non the less in this context, as I do
    that you are probably not an Canadian, is a bit strange. This is not an
    English speaking only, as Bob rightly indicates elsewhere, or American NG
    where others are just guests that should behave as such.

    --
    Evertjan.
    The Netherlands.
    (Please change the x'es to dots in my emailaddress)
     
    Evertjan., Aug 16, 2004
    #14
  15. "Julia" <> wrote in message
    news:%...
    >
    > Hi,
    >
    > I have the following scenario
    >
    > Page A.asp call page B.asp
    > Page B.asp need to load page C.asp make some changes and return
    > the result to IE
    >
    > when A.asp is first running IIS create a session object
    > and B.asp need to pass the session cookie(?) to C.asp
    >
    > How exactly ASP page maintains sessions?
    > How can pass the session from A to C using B
    >
    > Note that b is in a different domain.



    If you want a solution that really works for diffent domains based on a
    reference in the GUID you can have a look at

    http://www.nieropwebconsult.nl/nocookieweb
    but it requires you not to use cookies.

    Another solution would be to use cookies on *both* domains, but on the page
    that passes control to the other domain, you would use a

    Session.ReEntrance = True 'this is a security sensitive operation
    Response.Redirect ("otherdomain.com/mypage?guid="+ Session.SessionID )
    '(resturns a GUID!)

    more info
    http://www.nieropwebconsult.nl/asp_session_manager.htm



    > thanks
    >
    >
     
    Egbert Nierop \(MVP for IIS\), Aug 28, 2004
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mark
    Replies:
    6
    Views:
    747
    Ken Dopierala Jr.
    Sep 28, 2004
  2. Replies:
    0
    Views:
    331
  3. Keithb
    Replies:
    1
    Views:
    822
    bruce barker
    Feb 26, 2007
  4. Bob Hutchison
    Replies:
    8
    Views:
    176
    Bob Hutchison
    Sep 28, 2005
  5. Tony Arcieri

    Who maintains ruby-talk?

    Tony Arcieri, Apr 14, 2010, in forum: Ruby
    Replies:
    68
    Views:
    691
    James Britt
    Apr 16, 2010
Loading...

Share This Page