Client browser sending wrong ASP.NETSessionid in a cookie

[Niko]

Hi

I have a big problem with some browser setting wrong ASP.NETSessionid in
a cookie, and the result is that asp.net 1.1 always assigns new session to
the client. I checked what is going on and I noticed that the broswers set
the sessionid inside quotation marks and I guess that ASP.NET 1.1 can't parse
this and just assigns new session to the client. So my question is can I
somehow intercept the request and fix this session id by my self or is there
some other way to go around this problem!

tnx

 

[Cowboy \(Gregory A. Beamer\)]

Yes, you can intercept calls with an HTTP Handler, and do whatever you want
with the raw request, including cookies. I am not sure how easy it is to
dink with the session cookie, but you can reverse engineer some of MS's
stufff to see how to pull from the encrypted cookie, as you will have a raw
stream. I would consider checking the machine keys first (regen on a site
that creates keys?), as that is a possible point of failure.

I am not sure what causes the issue. Where are you setting the cookie?
Traditional ASP app? ASP.NET 2.0? JavaScript?

 

[Niko]

Hello Cowboy (Gregory A. Beamer),

I didn’t know that, I thought that HttpHandlers are not low level enough
to do that. I could write a simple ISAPI filter and do that, but they don’t
like the idea.

Well I’ll try to alter the cookie with HttpHandler