Sharing session values from an asp.net page?

binici · January 5th, 2007, 02:52 PM

Hello all!

I am in a delima here. I have a membersonly section that our users log into. I am passing a tokenkey to verify the session and to prevent others from hacking, sharing, ect info. I am setting the tokenkey to a session.item("sesTokenKey") in the codebehind.

Now we created a page in classic asp, which we need to request("Tokenkey"), which is working fine by passing the arguements via the link, but I need to match it by verifying the session value.

In classic asp its session.content("").

Is there a way around this? I hope I made sense.

Thanks,

Robert

planoie · January 5th, 2007, 03:12 PM

ASP.NET runs in a different process than ASP so they can't share any session data. You could write your own session manager code that works against a persistent data store (database, etc) that both applications could access. Otherwise you'll have to settle for some form of URL -> URL hand-off. (You could put the critical data into a form and do a POST hand-off instead of a GET, that would at least hide the data.

One thing I'd recommend is that you make the page that receives the hand-off be a process only page. Have it process the hand-off, then redirect to another page. That way, the user can't bookmark or share the hand-off receiving page.

Hope this helps.

-Peter

binici · January 5th, 2007, 05:53 PM

Absolutely! I just made it simple and created a redirect page, which sets the requests the values and then sets them! Works like a charm, I just thought that the database method was a lil over kill.

Thank you!

binici · January 5th, 2007, 08:24 PM

planoie:

I have come to another problem. When I do a post,

I am using a LinkButton and using the property PostBackURL
I have asp:hiddenfield and on in the codebehind I set the values. Now, when I click the button, the classic asp page, I use

strValue = request.form("value")

But I am not receiving a value? Am I missing something?

Thanks,

planoie · January 8th, 2007, 10:58 AM

Verify the rendered name of the hidden field in the emitted HTML. If that hidden field is in a user control then it's actual name and ID in the HTML will be more than just the ID you set in the control design (i.e. something like 'loginControl_hidMyHiddenField').

An alternative to posting directly to the ASP page would be to handle the postback normally in ASP.NET (yes, unfortunately it's an extra server round trip, but it might save you some headaches). Then construct the redirect URL pointing to the ASP page and do a regular server redirect to it. That way you can control the names of the fields sent to the ASP page.

IMPORTANT: Avoid changing the ASP page to use the names you see in the rendered markup. Those names are likely to change and most likely won't work if the user control is used on another page.

If you don't need code-behind access to the fields you are posting to the ASP page, you could write them out in literal HTML that ASP.NET won't modify (and thus the control names will not change). However, then you run the possible (though minimal) risk of having a second control with the same name. Be creative with the name and you'll mostly eliminate that problem.

-Peter