How exactly ASP page maintains session?

[Julia]

Hi,

I have the following scenario

Page A.asp call page B.asp
Page B.asp need to load page C.asp make some changes and return
the result to IE

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

thanks

 

[Evertjan.]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

 

[Julia]

I know that,that is way I asked the question!!!
i assume the session ID(explorer unique id?) is passed in the HTTP request
so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

thanks

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

 

[Julia]

Ha....what you ment to say that ASP create a special cookie which represent
the session
sent it to the client
and that cookie is sent to the server each request?
(and of course cookie is domain specific)

what if I get this cookie in page A and send it in the URL as a parameter to
page B?

thanks.

I know that,that is way I asked the question!!!
i assume the session ID(explorer unique id?) is passed in the HTTP request
so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

thanks

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

 

[Evertjan.]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

Julia wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

[please do not toppost on usenet]

I know that,that is way I asked the question!!!

That is nice, but it would be helpful if you stated what you already know
IN the OQ. That way the risk of being ploncked or ignored is less.

i assume the session ID(explorer unique id?)

No, not 'explorer unique'. It is a serverside generated ID, so unique to
the server only. It has nothing to do with the browser, but for the
browser filing and returning the ID.

... is passed in the HTTP
request so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

That would be a breach of security. Inter domain sessions are just not
the ASP way.

==========

Why not build it yourself using a serverside database and querystrings
with your own "session ID"?

This has been discused many times on this NG. Read the archives.

 

[Julia]

Thanks,
couple more question please

1.When B call C,than the server which host C generate a session ID for B as
well?

2.suppose in C.asp i am returning the SessionID to B and save it in a data
base
than when B call C again,can i transform the saved Id to the session
Cookie?
(put it into the HTTP hedaers?)

3." [please do not toppost on usenet]"- I don't understand.


"Why not build it yourself using a server database and querystrings
with your own "session ID"?"

A and C belongs to other organization,we are trying to plug additional
capabilities to their site
with as less as possible changes.

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

Julia wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.


The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

[please do not toppost on usenet]

I know that,that is way I asked the question!!!

That is nice, but it would be helpful if you stated what you already know
IN the OQ. That way the risk of being ploncked or ignored is less.

i assume the session ID(explorer unique id?)

No, not 'explorer unique'. It is a serverside generated ID, so unique to
the server only. It has nothing to do with the browser, but for the
browser filing and returning the ID.

... is passed in the HTTP
request so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

That would be a breach of security. Inter domain sessions are just not
the ASP way.

==========

Why not build it yourself using a serverside database and querystrings
with your own "session ID"?

This has been discused many times on this NG. Read the archives.

 

[Evertjan.]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

Ha....what you ment to say that ASP create a special cookie which
represent the session
sent it to the client
and that cookie is sent to the server each request?
(and of course cookie is domain specific)

what if I get this cookie in page A and send it in the URL as a
parameter to page B?

No, it has to go in the header of page b and be recognized by the asp
engine as a not timed out session.id given out by the page b asp engine.


Why not try it out by starting all three the pages with:


<%
if session("isStarted")<>"Yes!" then
response.write "New session started with this page"
session("isStarted")="Yes!"
else
response.write "Old session recognized, hurray!"
end if
%>

 

[Evertjan.]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

1.When B call C,than the server which host C generate a session ID for
B as well?

[See my example code in the other posting]

Each session only has one session.id.

2.suppose in C.asp i am returning the SessionID to B and save
it in a data base than when B call C again,can i transform
the saved Id to the session Cookie? (put it into the HTTP hedaers?)

Do not try to do what is expressly excluded. You cannot access the
session cookie with clientside code. You cannot force an asp-server to
use a different session.id.

3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

A and C belongs to other organization,we are trying to plug
additional capabilities to their site with as less as possible changes.

So you only page B is under your control?
A and C are the same domain?
Are they asp?

Then their (A and C's) security should prevent you from meddling.
The only way to do what you want, IMHO, is data mining their pages and
reconstructing them as your own. Offering that to the web could be a
copyright infringement.

 

[Jerry Pisk]

Julia wrote on 15 aug 2004 in microsoft.public.inetserver.asp.general:

1.When B call C,than the server which host C generate a session ID for
B as well?

[See my example code in the other posting]

Each session only has one session.id.

2.suppose in C.asp i am returning the SessionID to B and save
it in a data base than when B call C again,can i transform
the saved Id to the session Cookie? (put it into the HTTP hedaers?)

Do not try to do what is expressly excluded. You cannot access the
session cookie with clientside code. You cannot force an asp-server to
use a different session.id.

Yes you can, why exactly not? Read up on DOM and how to use it in
JavaScript. If you do this successfully it's called session hi-jacking, and
is one of the simplest security attacks.

3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.posting> 24.200 hits

Many, but most people do not give a damn. And mostly Europeans will educate
you on how badly you behave (do not top post, use the metric system, it's
just annoying).

So you only page B is under your control?
A and C are the same domain?
Are they asp?

Then their (A and C's) security should prevent you from meddling.
The only way to do what you want, IMHO, is data mining their pages and
reconstructing them as your own. Offering that to the web could be a
copyright infringement.

Could but probably won't. The real problem is that each server envirenment
has its own cookies, so even if you force your server to use the same
session ID as the one you're trying to interact with you will fail, because
the other server will not know a session by that id (and vice versa).

Jerry

 

[Evertjan.]

Jerry Pisk wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:

3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.posting> 24.200 hits

Many, but most people do not give a damn. And mostly Europeans will
educate you on how badly you behave (do not top post, use the metric
system, it's just annoying).

I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.

However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that most
people think like you], I can sympatize that would be very annoying to you.

Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?

 

[Jerry Pisk]

Jerry Pisk wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:

3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.posting> 24.200 hits

Many, but most people do not give a damn. And mostly Europeans will
educate you on how badly you behave (do not top post, use the metric
system, it's just annoying).

I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.

However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that most
people think like you], I can sympatize that would be very annoying to
you.

I don't care about how people post. Top posting is a little easier to read
for me but others feel different. However, I don't feel the need to tell
others what to do.

Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?

Same thing about units - who cares. They're just units. But every single
European I know ALWAYS mentions how great SI is and that everybody,
including stupid americans should switch. Nobody cares what you (or my smart
ass European friends think), use whatever you want but let others use what
they want. In your case post how you want but let others do their own thing.
If you don't like it then don't read it. It's as simple as that.

Jerry

 

[dlbjr]

That will do! - Amen.


dlbjr
Pleading sagacious indoctrination!

 

[Bob Lehmann]

So, if he posted in his native language, would that work for you?

What's your deal with Europeans anyway? Were you a badly behaving American
in a European country and not get your way?

Bob Lehmann

Jerry Pisk wrote on 15 aug 2004 in
microsoft.public.inetserver.asp.general:

3." [please do not toppost on usenet]"- I don't understand.

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.posting> 24.200 hits

Many, but most people do not give a damn. And mostly Europeans will
educate you on how badly you behave (do not top post, use the metric
system, it's just annoying).

I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.

However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that most
people think like you], I can sympatize that would be very annoying to
you.

I don't care about how people post. Top posting is a little easier to read
for me but others feel different. However, I don't feel the need to tell
others what to do.

Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?

Same thing about units - who cares. They're just units. But every single
European I know ALWAYS mentions how great SI is and that everybody,
including stupid americans should switch. Nobody cares what you (or my smart
ass European friends think), use whatever you want but let others use what
they want. In your case post how you want but let others do their own thing.
If you don't like it then don't read it. It's as simple as that.

Jerry

 

[Evertjan.]

Jerry Pisk wrote on 16 aug 2004 in microsoft.public.inetserver.asp.general:

Dear Jerry,

They're just units. But every single
European I know ALWAYS mentions how great SI is and that everybody,
including stupid americans should switch.

You must have an inferiority complex about being an American [american?] or
something?

I thought this NG was about helping each other out on ASP related problems
and ideas.

However poining to widely, though not universally, accepted netiquette is
an necessity in each NG and so on topic.

However the unit question, started by you, is not part of that [but for the
yyyymmdd format], nor is your personal animosity against Europeans.

Even not mentioning explicitly that you are an "american" when posting
these above lines, which I surmize non the less in this context, as I do
that you are probably not an Canadian, is a bit strange. This is not an
English speaking only, as Bob rightly indicates elsewhere, or American NG
where others are just guests that should behave as such.

 

[Egbert Nierop \(MVP for IIS\)]

Hi,

I have the following scenario

Page A.asp call page B.asp
Page B.asp need to load page C.asp make some changes and return
the result to IE

when A.asp is first running IIS create a session object
and B.asp need to pass the session cookie(?) to C.asp

How exactly ASP page maintains sessions?
How can pass the session from A to C using B

Note that b is in a different domain.

If you want a solution that really works for diffent domains based on a
reference in the GUID you can have a look at

http://www.nieropwebconsult.nl/nocookieweb
but it requires you not to use cookies.

Another solution would be to use cookies on *both* domains, but on the page
that passes control to the other domain, you would use a

Session.ReEntrance = True 'this is a security sensitive operation
Response.Redirect ("otherdomain.com/mypage?guid="+ Session.SessionID )
'(resturns a GUID!)

more info
http://www.nieropwebconsult.nl/asp_session_manager.htm