ASP to ASP.NET Session Variables

Question

We have a website in classic asp that we are slowly migrating to ASP.NET as necessary.

The problem of course is how classic asp and ASP.NET handle Sessions. After spending the last few hours researching the web, I found many articles, but not one that stood out over the others.

Is there a best practice for transferring session variables from and to classic asp and asp.net? Security is a must and any explanation with examples is much appreciated.

I should be done by the end of this week with a solution that best suits our needs. I will also mention some other methods. Stay posted. — PsychoDUCK, Jul 04 '12 at 13:24

score 8 · Accepted Answer · answered Oct 25 '12 at 11:35

A simple bridge to pass a single session variable from classic asp to .net serverside (hiding your sessionvalue from the client), would be this:

On the ASP end: An asp page to output your session, call it e.g. asp2netbridge.asp

<%
'Make sure it can be only called from local server '
if (request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR")) then
    if (Request.QueryString("sessVar") <> "") then
        response.write Session(Request.QueryString("sessVar"))
    end if
end if
%>

On the .net end, a remote call to that asp page. :

private static string GetAspSession(string sessionValue)
 {
    HttpWebRequest _myRequest = (HttpWebRequest)WebRequest.Create(new Uri("http://yourdomain.com/asp2netbridge.asp?sessVar=" + sessionValue));
    _myRequest.ContentType = "text/html";
    _myRequest.Credentials = CredentialCache.DefaultCredentials;
    if (_myRequest.CookieContainer == null)
        _myRequest.CookieContainer = new CookieContainer();
    foreach (string cookieKey in HttpContext.Current.Request.Cookies.Keys)
    {
        ' it is absolutely necessary to pass the ASPSESSIONID cookie or you will start a new session ! '
        if (cookieKey.StartsWith("ASPSESSIONID")) {
            HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieKey.ToString()];
            _myRequest.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, string.IsNullOrEmpty(cookie.Domain)
                ? HttpContext.Current.Request.Url.Host
                : cookie.Domain));
        }
    }
    try
    {
        HttpWebResponse _myWebResponse = (HttpWebResponse)_myRequest.GetResponse();

        StreamReader sr = new StreamReader(_myWebResponse.GetResponseStream());
        return sr.ReadToEnd();
    }
    catch (WebException we)
    {
        return we.Message;
    }
}

@Sajeetharan Not sure what your question is.. The sessionValue is any session variable you want to share, so any string parameter — AardVark71, Feb 10 '15 at 12:15
@AardVark71 Say i have a session variable named "uname" how this code should be mofified? and what do you mean by 'Make sure it can be only called from local server '? — Sajeetharan, Feb 10 '15 at 17:28
@Sajeetharan 1) On the .Net end you work with GetAspSession("uname") then and on the classic asp end you work with Session("uname") ; 2) the if statement makes sure this can be called from the server only [i.e. by .net code from that server) _(request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR"))_ — AardVark71, Feb 11 '15 at 09:08

score 3 · Answer 2 · answered Jun 28 '12 at 20:29

I've used an ajax bridge (for want of a better term), specifically, a classic asp page that reads all session vars into a database with a guid, it then redirects to a .net page passing the guid in the querystring, the asp.net page reads from sql for the given guid and created those vars as sessions.

Eg, in classic asp (pseudocode code - just to give you an idea, use parameterised queries in yours etc):

'#### Create GUID
Dim GUID 'as string
GUID = CreateWindowsGUID() '#### Lots of methods on http://support.microsoft.com/kb/320375

'#### Save session to sql
For Each SessionVar In Session.Contents
   db.execute("INSERT INTO SessionBridge (GUID, Key, Value) VALUES ('" & GUID & "', '" & SessionVar & "', '" & session(SessionVar) & "')")
Next

Then, in a .net page:

'#### Fetch GUID
Dim GUID as string = Request.QueryString("GUID")
session.clear

'#### Fetch from SQL
db.execute(RS, "SELECT * FROM SessionBridge WHERE GUID = '" & GUID & "'")
For Each db_row as datarow in RS.rows
    Session(db_row("Key")) = db_row("Value")
Next

As i say, this is very rough pseudocode, but you can call the asp with a simple background ajax function, then call the .net page for the given GUID.

This has the advantage of not exposing all your vars and values to the client (as post methods do etc).

This is very similar as to what I thought to be a good solution. But got confused based on a Microsoft article which did a similar approach that required security DLLs to be registered and etc. I don't understand why that was necessary. Here is the link http://msdn.microsoft.com/en-us/library/aa479313.aspx. Any idea why all the extra work mentioned in the MSDN article is there? If it is necessary at all? — PsychoDUCK, Jun 29 '12 at 19:52
@PsychoDUCK I think Microsoft's version is more general. You can store any object in a session variable (not just strings), so guess maybe their solution handles that. But if you only store strings in session variables, then this works fine (just be sure the session values don't have quotes or the instruction posted here would probably break) — Rodolfo, Jun 29 '12 at 21:13

score 0 · Answer 3 · answered Jun 28 '12 at 19:09

0

They use different sessions, so you'll need to devise some way of transferring the vars yourself. You could include them in cookies, or send them via HTTP POST (i.e. a form with hidden fields) to the asp.net side.

Alternatively, you could scrap using session storage and stick everything in a database for each user/session, then just pass a session key from classic ASP to ASP.NET via one of the above suggestions. I know this sounds like you're reinventing the wheel, but this might be one of those cases where you just can't get around it.

answered Jun 28 '12 at 19:09

Kyle Trauberman

25,414
13
85
121

I would like this post to consider all solutions and determine or create the 'best' solution, keeping security in mind. Why is one better then the other. Obviously based on certain scenarios one will be better then the other, but there is no clear answer that I could find on the web. – PsychoDUCK Jun 28 '12 at 19:27
There isn't a definitive answer to this question, and it will be impossible to label one answer the "best", as that is a very subjective term. You'll have to do some research and determine what works best for your needs. These are just some ideas, and you should research them based on your needs. – Kyle Trauberman Jun 28 '12 at 20:01
Although for security considerations, I would avoid sending the vars to the client (via cookie, hidden form fields, etc.). Consider a solution similar to my second paragraph, where you store the vars internally, and send an identifier to the client. – Kyle Trauberman Jun 28 '12 at 20:02

score 0 · Answer 4 · answered Jun 29 '12 at 19:46

0

I have a website that does that exact action. The secret is to use an intermediate page with the asp function response.redirect

<%
client_id = session("client_id")
response.redirect "aspx_page.aspx?client_id=" & client_id
%>

This is an example to pull the classic asp session variable client_id and pass it to an aspx page. Your aspx page will need to process it from there.

This needs to be at the top of a classic asp page, with no HTML of any type above. IIS will process this on the server and redirect to the aspx page with the attached query string, without sending the data to the client machine. It's very fast.

answered Jun 29 '12 at 19:46

Lindylead

87
1
14

2

"... without sending the data to the client machine" - Response.Redirect sends the url containing the client_id to the client machine. – Joe Oct 25 '12 at 11:40
@joe could `Server.Transfer` work here instead or am I missing something obvious? – Amit Naidu Dec 14 '12 at 09:41

score 0 · Answer 5 · answered Jul 20 '17 at 13:53

In case anyone else stumbles here looking for some help, another possible option is to use cookies. The benefit of a cookie is that you can store reasonable amounts of data and then persist that data to your .Net application (or another web application). There are security risks with exposing a cookie since that data can be easily manipulated or faked. I would not send sensitive data in a cookie. Here the cookie is only storing a unique identifier that can be used to retrieve data from a table.

The approach:

Grab the session data you need from your classic asp page. Store this data in a table along with a unique hash and a timestamp.
Store the value of the hash in a short-lived cookie.
Redirect to whatever page you need to go and read the hash in the cookie.
Check that the hash in the cookie hasn't expired in the database. If it is valid, send back the data you need to your page and then expire the hash so it can't be reused.

I used a SHA 256 hash that was a combination of the user's unique identifier, session ID, and current timestamp. The hash is valid for only a few minutes and is expired upon reading. The idea is to limit the window for an attacker who would need to guess a valid hash before it expired.

ASP to ASP.NET Session Variables

5 Answers5

Linked

Related