In a previous job we had a classic ASP application that no one wanted to migrate to ASP.NET. The things that it did, it did very well.
在以前的工作中,我们有一个经典的ASP应用程序,没有人想要迁移到ASP.NET。它所做的事情,做得很好。
However there was some new functionality that needed to be added that just seemed best suited to ASP.NET. The decision was made to allow the system to become a weird hybrid of ASP and ASP.NET.
然而,有一些新功能需要添加,看起来最适合ASP.NET。这个决定是为了让这个系统成为ASP和ASP.NET的奇怪混合。
Our biggest sticking point was session management and we hacked together a solution to pass session values through form variables. I've talked to others that handled this same problem through cookies.
我们最大的症结是会话管理,我们拼凑了一个解决方案,通过表单变量传递会话值。我已经和其他通过cookie处理同样问题的人谈过了。
Both methods seem a horrible kluge (in addition to being terribly insecure).
这两种方法看起来都很糟糕(除了非常不安全)。
Is there a better or cleaner way or is this just such a bad idea to begin with that discussion on the topic is pointless?
有没有更好或更干净的方式,或者这只是一个如此糟糕的想法,开始讨论这个话题是毫无意义的?
5 个解决方案
#1
8
Can you not persist session data to a serverside data store? ie XML file, database etc. You could then pass just a hash (calculated based on some criteria that securely identifies the session) to a .NET page which can the pick the data up from the data store using this identifier and populate your session data. It still means having to pass requests from ASP to ASP.NET through a proxy each time to ensure the latest session data is available in each app but I don't know of an alternative way to achieve this I'm afraid.
不能将会话数据持久化到服务器端数据存储中吗?然后,您可以将一个散列(基于一些安全标识会话的标准进行计算)传递到. net页面,该页面可以使用该标识符从数据存储中提取数据并填充会话数据。它仍然意味着必须将请求从ASP传递到ASP。NET通过一个代理来确保每个应用程序都有最新的会话数据,但是我不知道有什么替代方法来实现这一点。
#2
5
I have had to deal with the same problem. In my case, I encrypted a key into a cookie and used the database for any other information. I wrote the encryption in .NET and inter-op'd to decrypt the id on the ASP side. There is some weirdness dealing with base-64 string in that ASP will not get the same string as .NET, so you may have to do as I did and rewrite the base-64 string to hex equivalent or some similar lowest-common-denominator tactic. It is relatively secure (save a XSS attack).
我不得不处理同样的问题。在我的例子中,我将一个密钥加密到一个cookie中,并使用数据库获取任何其他信息。我在。net和inter-op中编写了加密来解密ASP端的id。在ASP中处理base-64字符串有一些古怪之处,它不会得到与。net相同的字符串,所以您可能需要像我那样做,并将base-64字符串重写为十六进制等价或类似的最小公分母策略。它相对安全(保存XSS攻击)。
#3
1
Well, ultimately the best idea would probably to have converted the ASP app to .NET. I think that probably goes without saying though. If security is a big concern there are steps you can take as far as encryption and maintaining the integrity of the session information, to make it more secure, such as some symmetrical encryption and hashing and what not.
好吧,最终最好的想法可能是把ASP应用程序转换成。net。我想这是不言而喻的。如果安全性是一个大问题,那么您可以采取一些步骤,比如加密和维护会话信息的完整性,以使其更安全,比如一些对称加密和散列等等。
#4
1
I dont know of any cleaner way to do this in the general case. But perhaps you can describe more specifically what state you have to share between the systems? There may be a cleaner solution in your specific case. Session object state are not always the best way of keeping state.
在一般情况下,我想不出有更简便的方法来做这件事。但是,也许您可以更具体地描述您需要在系统之间共享什么状态?在您的特定情况下,可能有一个更干净的解决方案。会话对象状态并不总是保持状态的最佳方式。
#5
1
I would have to agree with Wes P ... what are the long-term goals? If the long-term goal is migrate the classic ASP application to ASP.NET then I think I short-term fix, whatever it may be, will work. If the long-term is to keep the classic ASP application then you would be better off going with a more robust solution for session management, similar to what Oglester recommended.
我不得不同意Wes P…长期目标是什么?如果长期目标是将经典的ASP应用程序迁移到ASP。那么我认为我的短期修正,不管它是什么,都会起作用。如果长期的目标是保持经典的ASP应用程序,那么您最好使用更健壮的会话管理解决方案,类似于Oglester所建议的。
#1
8
Can you not persist session data to a serverside data store? ie XML file, database etc. You could then pass just a hash (calculated based on some criteria that securely identifies the session) to a .NET page which can the pick the data up from the data store using this identifier and populate your session data. It still means having to pass requests from ASP to ASP.NET through a proxy each time to ensure the latest session data is available in each app but I don't know of an alternative way to achieve this I'm afraid.
不能将会话数据持久化到服务器端数据存储中吗?然后,您可以将一个散列(基于一些安全标识会话的标准进行计算)传递到. net页面,该页面可以使用该标识符从数据存储中提取数据并填充会话数据。它仍然意味着必须将请求从ASP传递到ASP。NET通过一个代理来确保每个应用程序都有最新的会话数据,但是我不知道有什么替代方法来实现这一点。
#2
5
I have had to deal with the same problem. In my case, I encrypted a key into a cookie and used the database for any other information. I wrote the encryption in .NET and inter-op'd to decrypt the id on the ASP side. There is some weirdness dealing with base-64 string in that ASP will not get the same string as .NET, so you may have to do as I did and rewrite the base-64 string to hex equivalent or some similar lowest-common-denominator tactic. It is relatively secure (save a XSS attack).
我不得不处理同样的问题。在我的例子中,我将一个密钥加密到一个cookie中,并使用数据库获取任何其他信息。我在。net和inter-op中编写了加密来解密ASP端的id。在ASP中处理base-64字符串有一些古怪之处,它不会得到与。net相同的字符串,所以您可能需要像我那样做,并将base-64字符串重写为十六进制等价或类似的最小公分母策略。它相对安全(保存XSS攻击)。
#3
1
Well, ultimately the best idea would probably to have converted the ASP app to .NET. I think that probably goes without saying though. If security is a big concern there are steps you can take as far as encryption and maintaining the integrity of the session information, to make it more secure, such as some symmetrical encryption and hashing and what not.
好吧,最终最好的想法可能是把ASP应用程序转换成。net。我想这是不言而喻的。如果安全性是一个大问题,那么您可以采取一些步骤,比如加密和维护会话信息的完整性,以使其更安全,比如一些对称加密和散列等等。
#4
1
I dont know of any cleaner way to do this in the general case. But perhaps you can describe more specifically what state you have to share between the systems? There may be a cleaner solution in your specific case. Session object state are not always the best way of keeping state.
在一般情况下,我想不出有更简便的方法来做这件事。但是,也许您可以更具体地描述您需要在系统之间共享什么状态?在您的特定情况下,可能有一个更干净的解决方案。会话对象状态并不总是保持状态的最佳方式。
#5
1
I would have to agree with Wes P ... what are the long-term goals? If the long-term goal is migrate the classic ASP application to ASP.NET then I think I short-term fix, whatever it may be, will work. If the long-term is to keep the classic ASP application then you would be better off going with a more robust solution for session management, similar to what Oglester recommended.
我不得不同意Wes P…长期目标是什么?如果长期目标是将经典的ASP应用程序迁移到ASP。那么我认为我的短期修正,不管它是什么,都会起作用。如果长期的目标是保持经典的ASP应用程序,那么您最好使用更健壮的会话管理解决方案,类似于Oglester所建议的。