We have a website in classic asp that we are slowly migrating to ASP.NET as necessary.
我们有一个经典asp的网站,我们正在慢慢迁移到ASP.NET。
The problem of course is how classic asp and ASP.NET handle Sessions. After spending the last few hours researching the web, I found many articles, but not one that stood out over the others.
问题当然是经典的asp和ASP.NET如何处理Sessions。在花了最后几个小时研究网络后,我发现了很多文章,但没有一篇文章比其他文章更突出。
Is there a best practice for transferring session variables from and to classic asp and asp.net? Security is a must and any explanation with examples is much appreciated.
是否有最佳实践将会话变量传递给经典的asp和asp.net?安全是必须的,并且非常感谢任何带有示例的解释。
5 个解决方案
#1
5
A simple bridge to pass a single session variable from classic asp to .net serverside (hiding your sessionvalue from the client), would be this:
将经典asp中的单个会话变量传递给.net服务器端(从客户端隐藏会话值)的简单桥接器将是:
-
On the ASP end: An asp page to output your session, call it e.g. asp2netbridge.asp
在ASP端:输出会话的asp页面,例如调用它asp2netbridge.asp
<% 'Make sure it can be only called from local server ' if (request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR")) then if (Request.QueryString("sessVar") <> "") then response.write Session(Request.QueryString("sessVar")) end if end if %>
-
On the .net end, a remote call to that asp page. :
在.net端,远程调用该asp页面。 :
private static string GetAspSession(string sessionValue) { HttpWebRequest _myRequest = (HttpWebRequest)WebRequest.Create(new Uri("http://yourdomain.com/asp2netbridge.asp?sessVar=" + sessionValue)); _myRequest.ContentType = "text/html"; _myRequest.Credentials = CredentialCache.DefaultCredentials; if (_myRequest.CookieContainer == null) _myRequest.CookieContainer = new CookieContainer(); foreach (string cookieKey in HttpContext.Current.Request.Cookies.Keys) { ' it is absolutely necessary to pass the ASPSESSIONID cookie or you will start a new session ! ' if (cookieKey.StartsWith("ASPSESSIONID")) { HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieKey.ToString()]; _myRequest.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, string.IsNullOrEmpty(cookie.Domain) ? HttpContext.Current.Request.Url.Host : cookie.Domain)); } } try { HttpWebResponse _myWebResponse = (HttpWebResponse)_myRequest.GetResponse(); StreamReader sr = new StreamReader(_myWebResponse.GetResponseStream()); return sr.ReadToEnd(); } catch (WebException we) { return we.Message; } }
#2
3
I've used an ajax bridge (for want of a better term), specifically, a classic asp page that reads all session vars into a database with a guid, it then redirects to a .net page passing the guid in the querystring, the asp.net page reads from sql for the given guid and created those vars as sessions.
我使用了一个ajax桥(为了更好的术语),特别是一个经典的asp页面,它将所有会话变量读入带有guid的数据库,然后重定向到.net页面,在查询字符串中传递guid, asp.net页面从sql读取给定的guid并将这些变量创建为会话。
Eg, in classic asp (pseudocode code - just to give you an idea, use parameterised queries in yours etc):
例如,在经典的asp(伪代码 - 只是为了给你一个想法,在你的使用参数化查询等):
'#### Create GUID
Dim GUID 'as string
GUID = CreateWindowsGUID() '#### Lots of methods on http://support.microsoft.com/kb/320375
'#### Save session to sql
For Each SessionVar In Session.Contents
db.execute("INSERT INTO SessionBridge (GUID, Key, Value) VALUES ('" & GUID & "', '" & SessionVar & "', '" & session(SessionVar) & "')")
Next
Then, in a .net page:
然后,在.net页面中:
'#### Fetch GUID
Dim GUID as string = Request.QueryString("GUID")
session.clear
'#### Fetch from SQL
db.execute(RS, "SELECT * FROM SessionBridge WHERE GUID = '" & GUID & "'")
For Each db_row as datarow in RS.rows
Session(db_row("Key")) = db_row("Value")
Next
As i say, this is very rough pseudocode, but you can call the asp with a simple background ajax function, then call the .net page for the given GUID.
正如我所说,这是非常粗糙的伪代码,但你可以用简单的后台ajax函数调用asp,然后调用给定GUID的.net页面。
This has the advantage of not exposing all your vars and values to the client (as post methods do etc).
这样做的好处是不会将所有变量和值暴露给客户端(如post方法等)。
#3
0
They use different sessions, so you'll need to devise some way of transferring the vars yourself. You could include them in cookies, or send them via HTTP POST (i.e. a form with hidden fields) to the asp.net side.
他们使用不同的会话,因此您需要设计一些自己转移变量的方法。您可以将它们包含在cookie中,或者通过HTTP POST(即带有隐藏字段的表单)将它们发送到asp.net端。
Alternatively, you could scrap using session storage and stick everything in a database for each user/session, then just pass a session key from classic ASP to ASP.NET via one of the above suggestions. I know this sounds like you're reinventing the wheel, but this might be one of those cases where you just can't get around it.
或者,您可以使用会话存储进行废弃,并将数据库中的所有内容粘贴到每个用户/会话,然后通过上述建议之一将会话密钥从经典ASP传递到ASP.NET。我知道这听起来像你正在重新发明*,但这可能是你无法绕过它的情况之一。
#4
0
I have a website that does that exact action. The secret is to use an intermediate page with the asp function response.redirect
我有一个网站,可以做到这一切。秘诀是使用带有asp函数response.redirect的中间页面
<%
client_id = session("client_id")
response.redirect "aspx_page.aspx?client_id=" & client_id
%>
This is an example to pull the classic asp session variable client_id and pass it to an aspx page. Your aspx page will need to process it from there.
这是拉动经典的asp会话变量client_id并将其传递给aspx页面的示例。您的aspx页面需要从那里处理它。
This needs to be at the top of a classic asp page, with no HTML of any type above. IIS will process this on the server and redirect to the aspx page with the attached query string, without sending the data to the client machine. It's very fast.
这需要位于经典asp页面的顶部,上面没有任何类型的HTML。 IIS将在服务器上处理此问题,并使用附加的查询字符串重定向到aspx页面,而不将数据发送到客户端计算机。它非常快。
#5
0
In case anyone else stumbles here looking for some help, another possible option is to use cookies. The benefit of a cookie is that you can store reasonable amounts of data and then persist that data to your .Net application (or another web application). There are security risks with exposing a cookie since that data can be easily manipulated or faked. I would not send sensitive data in a cookie. Here the cookie is only storing a unique identifier that can be used to retrieve data from a table.
如果其他人偶然发现寻求帮助,另一种可能的选择是使用cookies。 Cookie的好处是您可以存储合理数量的数据,然后将该数据保存到.Net应用程序(或其他Web应用程序)。暴露cookie存在安全风险,因为这些数据很容易被操纵或伪造。我不会在cookie中发送敏感数据。这里cookie只存储一个唯一的标识符,可用于从表中检索数据。
The approach:
该方法:
- Grab the session data you need from your classic asp page. Store this data in a table along with a unique hash and a timestamp.
- 从经典的asp页面中获取所需的会话数据。将此数据与唯一哈希和时间戳一起存储在表中。
- Store the value of the hash in a short-lived cookie.
- 将哈希值存储在短期cookie中。
- Redirect to whatever page you need to go and read the hash in the cookie.
- 重定向到您需要去的任何页面并读取cookie中的哈希值。
- Check that the hash in the cookie hasn't expired in the database. If it is valid, send back the data you need to your page and then expire the hash so it can't be reused.
- 检查cookie中的哈希值是否未在数据库中过期。如果它有效,则将您需要的数据发送回页面,然后使哈希值过期,以便不能重复使用。
I used a SHA 256 hash that was a combination of the user's unique identifier, session ID, and current timestamp. The hash is valid for only a few minutes and is expired upon reading. The idea is to limit the window for an attacker who would need to guess a valid hash before it expired.
我使用SHA 256哈希,它是用户唯一标识符,会话ID和当前时间戳的组合。哈希值只有几分钟有效,并在阅读时过期。这个想法是限制攻击者的窗口,攻击者需要在过期之前猜测有效哈希。
#1
5
A simple bridge to pass a single session variable from classic asp to .net serverside (hiding your sessionvalue from the client), would be this:
将经典asp中的单个会话变量传递给.net服务器端(从客户端隐藏会话值)的简单桥接器将是:
-
On the ASP end: An asp page to output your session, call it e.g. asp2netbridge.asp
在ASP端:输出会话的asp页面,例如调用它asp2netbridge.asp
<% 'Make sure it can be only called from local server ' if (request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR")) then if (Request.QueryString("sessVar") <> "") then response.write Session(Request.QueryString("sessVar")) end if end if %>
-
On the .net end, a remote call to that asp page. :
在.net端,远程调用该asp页面。 :
private static string GetAspSession(string sessionValue) { HttpWebRequest _myRequest = (HttpWebRequest)WebRequest.Create(new Uri("http://yourdomain.com/asp2netbridge.asp?sessVar=" + sessionValue)); _myRequest.ContentType = "text/html"; _myRequest.Credentials = CredentialCache.DefaultCredentials; if (_myRequest.CookieContainer == null) _myRequest.CookieContainer = new CookieContainer(); foreach (string cookieKey in HttpContext.Current.Request.Cookies.Keys) { ' it is absolutely necessary to pass the ASPSESSIONID cookie or you will start a new session ! ' if (cookieKey.StartsWith("ASPSESSIONID")) { HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieKey.ToString()]; _myRequest.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, string.IsNullOrEmpty(cookie.Domain) ? HttpContext.Current.Request.Url.Host : cookie.Domain)); } } try { HttpWebResponse _myWebResponse = (HttpWebResponse)_myRequest.GetResponse(); StreamReader sr = new StreamReader(_myWebResponse.GetResponseStream()); return sr.ReadToEnd(); } catch (WebException we) { return we.Message; } }
#2
3
I've used an ajax bridge (for want of a better term), specifically, a classic asp page that reads all session vars into a database with a guid, it then redirects to a .net page passing the guid in the querystring, the asp.net page reads from sql for the given guid and created those vars as sessions.
我使用了一个ajax桥(为了更好的术语),特别是一个经典的asp页面,它将所有会话变量读入带有guid的数据库,然后重定向到.net页面,在查询字符串中传递guid, asp.net页面从sql读取给定的guid并将这些变量创建为会话。
Eg, in classic asp (pseudocode code - just to give you an idea, use parameterised queries in yours etc):
例如,在经典的asp(伪代码 - 只是为了给你一个想法,在你的使用参数化查询等):
'#### Create GUID
Dim GUID 'as string
GUID = CreateWindowsGUID() '#### Lots of methods on http://support.microsoft.com/kb/320375
'#### Save session to sql
For Each SessionVar In Session.Contents
db.execute("INSERT INTO SessionBridge (GUID, Key, Value) VALUES ('" & GUID & "', '" & SessionVar & "', '" & session(SessionVar) & "')")
Next
Then, in a .net page:
然后,在.net页面中:
'#### Fetch GUID
Dim GUID as string = Request.QueryString("GUID")
session.clear
'#### Fetch from SQL
db.execute(RS, "SELECT * FROM SessionBridge WHERE GUID = '" & GUID & "'")
For Each db_row as datarow in RS.rows
Session(db_row("Key")) = db_row("Value")
Next
As i say, this is very rough pseudocode, but you can call the asp with a simple background ajax function, then call the .net page for the given GUID.
正如我所说,这是非常粗糙的伪代码,但你可以用简单的后台ajax函数调用asp,然后调用给定GUID的.net页面。
This has the advantage of not exposing all your vars and values to the client (as post methods do etc).
这样做的好处是不会将所有变量和值暴露给客户端(如post方法等)。
#3
0
They use different sessions, so you'll need to devise some way of transferring the vars yourself. You could include them in cookies, or send them via HTTP POST (i.e. a form with hidden fields) to the asp.net side.
他们使用不同的会话,因此您需要设计一些自己转移变量的方法。您可以将它们包含在cookie中,或者通过HTTP POST(即带有隐藏字段的表单)将它们发送到asp.net端。
Alternatively, you could scrap using session storage and stick everything in a database for each user/session, then just pass a session key from classic ASP to ASP.NET via one of the above suggestions. I know this sounds like you're reinventing the wheel, but this might be one of those cases where you just can't get around it.
或者,您可以使用会话存储进行废弃,并将数据库中的所有内容粘贴到每个用户/会话,然后通过上述建议之一将会话密钥从经典ASP传递到ASP.NET。我知道这听起来像你正在重新发明*,但这可能是你无法绕过它的情况之一。
#4
0
I have a website that does that exact action. The secret is to use an intermediate page with the asp function response.redirect
我有一个网站,可以做到这一切。秘诀是使用带有asp函数response.redirect的中间页面
<%
client_id = session("client_id")
response.redirect "aspx_page.aspx?client_id=" & client_id
%>
This is an example to pull the classic asp session variable client_id and pass it to an aspx page. Your aspx page will need to process it from there.
这是拉动经典的asp会话变量client_id并将其传递给aspx页面的示例。您的aspx页面需要从那里处理它。
This needs to be at the top of a classic asp page, with no HTML of any type above. IIS will process this on the server and redirect to the aspx page with the attached query string, without sending the data to the client machine. It's very fast.
这需要位于经典asp页面的顶部,上面没有任何类型的HTML。 IIS将在服务器上处理此问题,并使用附加的查询字符串重定向到aspx页面,而不将数据发送到客户端计算机。它非常快。
#5
0
In case anyone else stumbles here looking for some help, another possible option is to use cookies. The benefit of a cookie is that you can store reasonable amounts of data and then persist that data to your .Net application (or another web application). There are security risks with exposing a cookie since that data can be easily manipulated or faked. I would not send sensitive data in a cookie. Here the cookie is only storing a unique identifier that can be used to retrieve data from a table.
如果其他人偶然发现寻求帮助,另一种可能的选择是使用cookies。 Cookie的好处是您可以存储合理数量的数据,然后将该数据保存到.Net应用程序(或其他Web应用程序)。暴露cookie存在安全风险,因为这些数据很容易被操纵或伪造。我不会在cookie中发送敏感数据。这里cookie只存储一个唯一的标识符,可用于从表中检索数据。
The approach:
该方法:
- Grab the session data you need from your classic asp page. Store this data in a table along with a unique hash and a timestamp.
- 从经典的asp页面中获取所需的会话数据。将此数据与唯一哈希和时间戳一起存储在表中。
- Store the value of the hash in a short-lived cookie.
- 将哈希值存储在短期cookie中。
- Redirect to whatever page you need to go and read the hash in the cookie.
- 重定向到您需要去的任何页面并读取cookie中的哈希值。
- Check that the hash in the cookie hasn't expired in the database. If it is valid, send back the data you need to your page and then expire the hash so it can't be reused.
- 检查cookie中的哈希值是否未在数据库中过期。如果它有效,则将您需要的数据发送回页面,然后使哈希值过期,以便不能重复使用。
I used a SHA 256 hash that was a combination of the user's unique identifier, session ID, and current timestamp. The hash is valid for only a few minutes and is expired upon reading. The idea is to limit the window for an attacker who would need to guess a valid hash before it expired.
我使用SHA 256哈希,它是用户唯一标识符,会话ID和当前时间戳的组合。哈希值只有几分钟有效,并在阅读时过期。这个想法是限制攻击者的窗口,攻击者需要在过期之前猜测有效哈希。