1

I want to use an approach which phpbb uses (with it's PHP Session ID passed as GET parameter of HTTP request, like http(s)://server/page.php?sid=somestring ). PHP generates id that is 26 characters long and ASP.NET generates one that is 24 characters long

ASP .NET changes/rewrites URL instead, what I want to avoid

How it is implemented in ASP .NET ( https://msdn.microsoft.com/en-us/library/aa479314.aspx ):

  1. Web.Config contains something similar to

    <sessionState 
 cookieless="AutoDetect"
 sessionIDManagerType="NyNamespace.MyCustomSessionManager, \
   CustomAssemblyNameInBinFolder"
>
</sessionState>

  2. Request is processed by MyCustomSessionManager (derived from ISessionIDManager) with GetSessionID method (which uses Validate method internally)

  3. obtained ID is used within framework (it's not important for now - how exactly)

...

  1. during rendering code uses Response.ApplyAppPathModifier method which check Session.IsCookieless property, and modifies URL if user disabled cookies.

  2. generated page with modified URLs is sent to browser

    http://yourserver/folder/(session ID here)/default.aspx

I don't want to use these scary URLs.

I am aware about 3 problems with cookieless approach:

  • ability to publish URL with session ID (I will protect from this with fingerprinting and timestamping)

  • ability to connect from different tabs of browser into same session (it can be solved later)

  • some people refers to HTTP standarts and says that these standarts prohibit using GET and POST parameters at the same time. (I have different understanding of there RFCs - it is possible to use any parameters in URI in addition to POST parameters, so I will use both types of parameters at the same time)

I want to do following:

  1. Modify MyCustomSessionManager to extract Session ID from GET parameter of reqiest, instead of URL part

  2. generate 26-characters ID based on digital fingerprint (to be able to verify it later) instead of default one

  3. use Response.Filter to replace/patch URLs to id-in-get-parameter in output as in http://www.drdobbs.com/windows/post-processing-the-output-of-aspnet-pag/212001499

Additionally I want to override ApplyAppPathModifier on HttpResponse (which is sealed, but there is HttpResponseWrapper class).
But I don't know when to replace response to response wrapper.

Is this viable approach?

There are several similar questions:
Cookieless session from URL to QueryString
Use Session ID from supplied parameter instead of default behavior in ASP.NET MVC3
And some which I can't find again

I am asking mine, because I don't understood exactly, how to implement writing of session ID into GET parameter of HTTP request.

Community
  • 1
  • 1
user1709408
  • 528
  • 4
  • 16
  • By "GET parameter", do you mean a request header? –  Jul 16 '15 at 20:40
  • No, not a header. I mean parameters which are passed in GET request (as an opposite to form fields which are parameters of POST request) i.e. http(s)://site.domain.org/page.aspx?GetParameterName=GetParameterValue – user1709408 Jul 16 '15 at 20:50

0 Answers0