http to https not keeping session data when running cookieless RRS feed

  • Question

  • User1280512103 posted
    String originalUrl = "/fxtest3/sub/foo2.aspx"; String modifiedUrl = "https://localhost" + Response.ApplyAppPathModifier(originalUrl); Response.Redirect(modifiedUrl); Can someone explain why the above solution does not work for me. I want to maintain session data from http to https and visa versa and ApplyAppPathModifier is returning exactly what I passed it to it. Below is my setting in web.config <sessionState cookieless="true" timeout="10" mode="SQLServer" sqlConnectionString="data source=.;user id=xxxxxx;password=password" /> I have seen this solution documented many times so I must be doing something wrong as it works for others. Brent
    Saturday, January 22, 2005 7:50 PM

All replies

  • User-1069184416 posted
    Hello, when using SSL + Cookieless session, using Http/Https would create a new session. So, what you need to do is use links as : string originalUrl = "~/fxtest3/sub/foo2.aspx"; Response.Redirect(originalUrl); this is considered all these pages are within SSL protection. regards
    Saturday, January 22, 2005 8:00 PM
  • User1280512103 posted
    All pages are not within ssl. I am going from http to https and visa versa and need to keep that session identifier in between calls so that I can preserve session. Documentation say that Response.ApplyAppPathModifier will return that session identifier but its not working for me? Does that make sense
    Saturday, January 22, 2005 8:50 PM
  • User-1069184416 posted
    Well, if the folder is all SSL, then my method works fine, because I used it. But, moving from Http and Https keeping same session, hven't worked on that before. I'll see how to help you soon. regards
    Sunday, January 23, 2005 7:33 AM
  • User-1069184416 posted
    Hello, I found this for you read it well: Cookieless Sessions Each active ASP.NET session is identified using a 120-bit string made only of URL-allowed characters. The session ID is generated using the Random Number Generator (RNG) cryptographic provider. The service provider returns a sequence of 15 randomly generated numbers (15 bytes x 8 bit = 120 bits). The array of random numbers is then mapped to valid URL characters and returned as a string. The session ID string is communicated to the browser and then returned to the server application in one of two ways: by using cookies (as in classic ASP) or a modified URL. By default, the session-state module creates an HTTP cookie on the client, but a modified URL can be used—especially for cookieless browsers—with the session ID string embedded. Which approach is taken depends upon the configuration settings stored in the application's web.config file. To configure session settings, you use the <sessionState> section and the cookieless attribute. <sessionState cookieless="true|false" /> By default, the cookieless attribute is false, meaning that cookies are used. A cookie is really nothing more than a text file placed on the client's hard disk by a Web page. In ASP.NET, a cookie is represented by an instance of the HttpCookie class. Typically, a cookie has a name, a collection of values, and an expiration time. When the cookieless attribute setting is false, the session-state module actually creates a cookie named ASP.NET_SessionId and stores the session ID in it. The cookie is created as the following pseudocode shows: HttpCookie sessionCookie; sessionCookie = new HttpCookie("ASP.NET_SessionId", sessionID); sessionCookie.Path = "/"; A session cookie is given a very short expiration term and is renewed at the end of each successful request. The cookie's Expires property indicates the time of day on the client at which the cookie expires. If not explicitly set, as is the case with session cookies, the Expires property defaults to DateTime.MinValue—that is, the smallest possible unit of time allowed in the .NET Framework. To disable session cookies, you set the cookieless attribute to true in the configuration file, as shown here: <configuration> <system.web> <sessionState cookieless="true" /> </system.web> </configuration> At this point, suppose that you request a page at the following URL: http://www.contoso.com/sample.aspx What is really displayed in the browser's address bar is slightly different and now includes the session ID, as shown here: http://www.contoso.com/(5ylg0455mrvws1uz5mmaau45)/sample.aspx When instantiated, the session-state HTTP module checks the value of the cookieless attribute. If true, the request is redirected (HTTP 302) to a modified virtual URL that includes the session ID just before the page name. When processed again, the request embeds the session ID. If the request starts a new session, the HTTP module generates a new session ID and then redirects the request. If the request is a postback, the session ID is already there because postbacks use relative URLs. The drawback of using cookieless sessions is that the session state is lost if an absolute URL is invoked. When cookies are used, you can clear the address bar, go to another application, and then return to the previous one and retrieve the same session values. If you do this when session cookies are disabled, the session data is lost. For example, the following code breaks the session: Click If you need to use absolute URLs, resort to a little trick and manually add the session ID to the URL. You use the ApplyAppPathModifier method on the HttpResponse class. >Click The ApplyAppPathModifier method takes a string representing a URL and returns an absolute URL, which embeds session information. For example, this trick is especially useful in situations in which you need to redirect from a HTTP page to an HTTPS page. regards
    Sunday, January 23, 2005 7:42 AM
  • User1280512103 posted
    Thanks for you response. The solution you posted was in my first post. My question was addressing why this did not work. Take this code and place it in your code behind. Execute it on the click event of a button. Inspect the string modifiedUrl and what I am seeing is that it does NOT contain the session identifier. I have also pasted my web config setting so you can see that I have cookieless="true". ApplyAppPathModifier is not modifing the passing in url. This will occur if running cookieless="false" but thats NOT what I am doing. private void Button1_Click(object sender, System.EventArgs e) { string originalUrl = "/fxtest3/sub/foo2.aspx"; string modifiedUrl = "https://localhost" + Response.ApplyAppPathModifier(originalUrl); Response.Redirect(modifiedUrl); } Here is my web config setting ************************************* <sessionState cookieless="true" timeout="10" mode="SQLServer" sqlConnectionString="data source=.;user id=xxxxx;password=password" /> This is comments straight from MSDN help ********************************** Parameters virtualPath The virtual path to a resource. Return Value The virtualPath with the session ID inserted. Remarks ApplyAppPathModifier is used only with cookieless sessions to construct absolute HREFs.
    Sunday, January 23, 2005 8:10 AM
  • User1280512103 posted
    Are you giving up on me Bilal? I found workaround of getting the URL with the session id on the client side and placing into a hidden textBox so I can build the correct URL on the server for a redirect. I really would like to know why ApplyAppPathModifier does not work though. I will save you some time and send you a test page if you want to see for yourself. Brent
    Monday, January 24, 2005 7:31 PM
  • User-1069184416 posted
    Well I am not giving up, I am anxious to know how this issue is going to be solved. In fact, I find SSL + FormsAuthentication + Cookieless SessionState the best combination to implement security in .NET, I will try more and more to get an explanation for that. Best of luck. regards
    Saturday, January 29, 2005 3:04 PM
  • User-1069184416 posted
    Hello, I was wondering if you implement the thingy manually by getting the sessionId as follows: String originalUrl = "/sub/foo2.aspx"; String modifiedUrl = "https://localhost/fxtest3/" + "(" + Session.SessionID + ")" + originalUrl; Response.Redirect(modifiedUrl); please try that and let me know what happens ? regards
    Saturday, January 29, 2005 3:19 PM