How to share Session securely between Classic ASP and ASP.NET
By John Avis · March 22, 2014 · 3 comments
Looking at the Google search results, it seems that there has been plenty of demand to share Session values between Classic ASP and ASP.NET. This is usually a result of supporting legacy Classic ASP with new development in ASP.NET.
Most of the solutions I found either did not handle sharing securely or required modifications to the Classic ASP code (such as the top ranking Microsoft solution).
Deep into the search results I found what seems like a great solution but doesn't seem to have had much support in the form of comments and social shares.
Like most of the solutions, it uses a Classic ASP script to return requested session variables. But it does this securely by locking down this script to internal requests only (by IP address), and retrieving by a server-side HTTP request. As a server-side request would usually use the user Session of the web server itself rather than the user's Session, the author of this code cleverly retrieves the Classic ASP cookie and passes it in the request headers. A very clever solution.
The only improvement I could suggest is that the IP address could be faked so instead I would possibly suggest using a password protected folder or some other method of authentication.
I also found that when I tried to access the Classic ASP session using the HTTPS protocol it would not work. The only way I could get it to work was to change the IIS setting "New ID On Secure Connect" to false which allows the use of the same Session in both HTTP and HTTPS.
You can find the original solution at http://devproconnections.com/aspnet/share-session-state-between-asp-and-aspnet-apps.
I have used that concept and made my own version that allows you to get or set a Classic ASP Session variable from ASP.NET:
AspSession.cs
/services/aspsession.asp
Most of the solutions I found either did not handle sharing securely or required modifications to the Classic ASP code (such as the top ranking Microsoft solution).
Deep into the search results I found what seems like a great solution but doesn't seem to have had much support in the form of comments and social shares.
Like most of the solutions, it uses a Classic ASP script to return requested session variables. But it does this securely by locking down this script to internal requests only (by IP address), and retrieving by a server-side HTTP request. As a server-side request would usually use the user Session of the web server itself rather than the user's Session, the author of this code cleverly retrieves the Classic ASP cookie and passes it in the request headers. A very clever solution.
The only improvement I could suggest is that the IP address could be faked so instead I would possibly suggest using a password protected folder or some other method of authentication.
I also found that when I tried to access the Classic ASP session using the HTTPS protocol it would not work. The only way I could get it to work was to change the IIS setting "New ID On Secure Connect" to false which allows the use of the same Session in both HTTP and HTTPS.
You can find the original solution at http://devproconnections.com/aspnet/share-session-state-between-asp-and-aspnet-apps.
I have used that concept and made my own version that allows you to get or set a Classic ASP Session variable from ASP.NET:
AspSession.cs
using System;
using System.IO;
using System.Net;
using System.Web;
public class AspSession
{
public static object Get(string name)
{
HttpContext context = HttpContext.Current;
object value = null;
String[] cookies = context.Request.Cookies.AllKeys;
for (int i = 0; i < cookies.Length; i++)
{
HttpCookie cookie = context.Request.Cookies[cookies[i]];
if (cookie.Name.StartsWith("ASPSESSION"))
{
System.Uri uri = context.Request.Url;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri.Scheme + "://" + uri.Host + ":" + uri.Port.ToString() + "/Services/AspSession.asp?mode=get&name=" + name);
request.Headers.Add("Cookie: " + cookie.Name + "=" + cookie.Value);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream responseStream = response.GetResponseStream();
System.Text.Encoding encode = System.Text.Encoding.GetEncoding("utf-8");
StreamReader readStream = new StreamReader(responseStream, encode);
value = readStream.ReadToEnd();
response.Close();
readStream.Close();
break;
}
}
return value;
}
public static void Set(string name, object value)
{
HttpContext context = HttpContext.Current;
String[] cookies = context.Request.Cookies.AllKeys;
for (int i = 0; i < cookies.Length; i++)
{
HttpCookie cookie = context.Request.Cookies[cookies[i]];
if (cookie.Name.StartsWith("ASPSESSION"))
{
System.Uri uri = context.Request.Url;
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(uri.Scheme + "://" + uri.Host + ":" + uri.Port.ToString() + "/Services/LegacySession.asp?mode=set&name=" + context.Server.UrlEncode(name) + "&value=" + context.Server.UrlEncode(value.ToString()));
request.Headers.Add("Cookie: " + cookie.Name + "=" + cookie.Value);
HttpWebResponse response = (HttpWebResponse)request.GetResponse();
Stream responseStream = response.GetResponseStream();
break;
}
}
}
}
/services/aspsession.asp
<%
Dim strMode, strName, strValue
If Request.ServerVariables("REMOTE_ADDR") = Request.ServerVariables("LOCAL_ADDR") Then
strMode = Request.QueryString("mode")
strName = Request.QueryString("name")
If strMode = "get" Then
Response.Write(Session(strName))
ElseIf strMode = "set" Then
strValue = Request.QueryString("value")
Session(strName) = strValue
End If
End If
%>
Get the latest posts delivered to your inbox.
About me
...mostly about web development and programming, with a little bit of anything else related to the Internet, computers and technology.
Tags
Subscribe
Get the latest posts delivered to your inbox. *
Comments (3)
Great article!
When session timeout (after 20 minutes), unable to receive cookies anymore. Do you have any suggestion?
Thanks
Nguyen Van Bay
Reply