How exactly ASP page maintains session?

Re: How exactly ASP page maintains session?

Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:
[color=blue]
> when A.asp is first running IIS create a session object
> and B.asp need to pass the session cookie(?) to C.asp
>
> How exactly ASP page maintains sessions?
> How can pass the session from A to C using B
>
> Note that b is in a different domain.
>[/color]

The session cookie is domain specific.

ASP-sessions are not "passed" from one page to the other.

If no session cookie is found a new session is placed.

If such cookie placing is deactivated [clientside = browser],
every page is a new session.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?

I know that,that is way I asked the question!!!
i assume the session ID(explorer unique id?) is passed in the HTTP request
so I wonder if I can some how extract it using ISAPI or other.
and thant pass it to the other page.

thanks

"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
news:Xns9546716 A5AFE4eejj99@19 4.109.133.29...[color=blue]
> Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:
>[color=green]
> > when A.asp is first running IIS create a session object
> > and B.asp need to pass the session cookie(?) to C.asp
> >
> > How exactly ASP page maintains sessions?
> > How can pass the session from A to C using B
> >
> > Note that b is in a different domain.
> >[/color]
>
> The session cookie is domain specific.
>
> ASP-sessions are not "passed" from one page to the other.
>
> If no session cookie is found a new session is placed.
>
> If such cookie placing is deactivated [clientside = browser],
> every page is a new session.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)[/color]

Re: How exactly ASP page maintains session?

Ha....what you ment to say that ASP create a special cookie which represent
the session
sent it to the client
and that cookie is sent to the server each request?
(and of course cookie is domain specific)

what if I get this cookie in page A and send it in the URL as a parameter to
page B?

thanks.


"Julia" <codewizard@012 .net.il> wrote in message
news:%23euIerqg EHA.3476@tk2msf tngp13.phx.gbl. ..[color=blue]
> I know that,that is way I asked the question!!!
> i assume the session ID(explorer unique id?) is passed in the HTTP request
> so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.
>
> thanks
>
> "Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
> news:Xns9546716 A5AFE4eejj99@19 4.109.133.29...[color=green]
> > Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:
> >[color=darkred]
> > > when A.asp is first running IIS create a session object
> > > and B.asp need to pass the session cookie(?) to C.asp
> > >
> > > How exactly ASP page maintains sessions?
> > > How can pass the session from A to C using B
> > >
> > > Note that b is in a different domain.
> > >[/color]
> >
> > The session cookie is domain specific.
> >
> > ASP-sessions are not "passed" from one page to the other.
> >
> > If no session cookie is found a new session is placed.
> >
> > If such cookie placing is deactivated [clientside = browser],
> > every page is a new session.
> >
> > --
> > Evertjan.
> > The Netherlands.
> > (Please change the x'es to dots in my emailaddress)[/color]
>
>[/color]

Re: How exactly ASP page maintains session?

Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:[color=blue]
> "Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
> news:Xns9546716 A5AFE4eejj99@19 4.109.133.29...[color=green]
>> Julia wrote on 15 aug 2004 in
>> microsoft.publi c.inetserver.as p.general:
>>[color=darkred]
>> > when A.asp is first running IIS create a session object
>> > and B.asp need to pass the session cookie(?) to C.asp
>> >
>> > How exactly ASP page maintains sessions?
>> > How can pass the session from A to C using B
>> >
>> > Note that b is in a different domain.
>> >[/color]
>>
>> The session cookie is domain specific.
>>
>> ASP-sessions are not "passed" from one page to the other.
>>
>> If no session cookie is found a new session is placed.
>>
>> If such cookie placing is deactivated [clientside = browser],
>> every page is a new session.[/color][/color]

[please do not toppost on usenet]
[color=blue]
> I know that,that is way I asked the question!!![/color]

That is nice, but it would be helpful if you stated what you already know
IN the OQ. That way the risk of being ploncked or ignored is less.
[color=blue]
> i assume the session ID(explorer unique id?)[/color]

No, not 'explorer unique'. It is a serverside generated ID, so unique to
the server only. It has nothing to do with the browser, but for the
browser filing and returning the ID.
[color=blue]
> ... is passed in the HTTP
> request so I wonder if I can some how extract it using ISAPI or other.
> and thant pass it to the other page.[/color]

That would be a breach of security. Inter domain sessions are just not
the ASP way.

==========

Why not build it yourself using a serverside database and querystrings
with your own "session ID"?

This has been discused many times on this NG. Read the archives.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?

Thanks,
couple more question please

1.When B call C,than the server which host C generate a session ID for B as
well?

2.suppose in C.asp i am returning the SessionID to B and save it in a data
base
than when B call C again,can i transform the saved Id to the session
Cookie?
(put it into the HTTP hedaers?)

3." [please do not toppost on usenet]"- I don't understand.


"Why not build it yourself using a server database and querystrings
with your own "session ID"?"

A and C belongs to other organization,we are trying to plug additional
capabilities to their site
with as less as possible changes.




"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
news:Xns95467AD E55F9Feejj99@19 4.109.133.29...[color=blue]
> Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:[color=green]
> > "Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
> > news:Xns9546716 A5AFE4eejj99@19 4.109.133.29...[color=darkred]
> >> Julia wrote on 15 aug 2004 in
> >> microsoft.publi c.inetserver.as p.general:
> >>
> >> > when A.asp is first running IIS create a session object
> >> > and B.asp need to pass the session cookie(?) to C.asp
> >> >
> >> > How exactly ASP page maintains sessions?
> >> > How can pass the session from A to C using B
> >> >
> >> > Note that b is in a different domain.
> >> >
> >>
> >> The session cookie is domain specific.
> >>
> >> ASP-sessions are not "passed" from one page to the other.
> >>
> >> If no session cookie is found a new session is placed.
> >>
> >> If such cookie placing is deactivated [clientside = browser],
> >> every page is a new session.[/color][/color]
>
> [please do not toppost on usenet]
>[color=green]
> > I know that,that is way I asked the question!!![/color]
>
> That is nice, but it would be helpful if you stated what you already know
> IN the OQ. That way the risk of being ploncked or ignored is less.
>[color=green]
> > i assume the session ID(explorer unique id?)[/color]
>
> No, not 'explorer unique'. It is a serverside generated ID, so unique to
> the server only. It has nothing to do with the browser, but for the
> browser filing and returning the ID.
>[color=green]
> > ... is passed in the HTTP
> > request so I wonder if I can some how extract it using ISAPI or other.
> > and thant pass it to the other page.[/color]
>
> That would be a breach of security. Inter domain sessions are just not
> the ASP way.
>
> ==========
>
> Why not build it yourself using a serverside database and querystrings
> with your own "session ID"?
>
> This has been discused many times on this NG. Read the archives.
>
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)[/color]

Re: How exactly ASP page maintains session?

Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:
[color=blue]
> Ha....what you ment to say that ASP create a special cookie which
> represent the session
> sent it to the client
> and that cookie is sent to the server each request?
> (and of course cookie is domain specific)
>
> what if I get this cookie in page A and send it in the URL as a
> parameter to page B?[/color]

No, it has to go in the header of page b and be recognized by the asp
engine as a not timed out session.id given out by the page b asp engine.


Why not try it out by starting all three the pages with:


<%
if session("isStar ted")<>"Yes!" then
response.write "New session started with this page"
session("isStar ted")="Yes!"
else
response.write "Old session recognized, hurray!"
end if
%>


--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?

Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:[color=blue]
> 1.When B call C,than the server which host C generate a session ID for
> B as well?[/color]

[See my example code in the other posting]

Each session only has one session.id.
[color=blue]
> 2.suppose in C.asp i am returning the SessionID to B and save
> it in a data base than when B call C again,can i transform
> the saved Id to the session Cookie? (put it into the HTTP hedaers?)[/color]

Do not try to do what is expressly excluded. You cannot access the
session cookie with clientside code. You cannot force an asp-server to
use a different session.id.
[color=blue]
> 3." [please do not toppost on usenet]"- I don't understand.[/color]

Read up on topposting via google.
Topposting is fowned upon by many, including me.

<http://www.google.com/search?q=top.po sting> 24.200 hits
[color=blue][color=green]
>> "Why not build it yourself using a server database and
>> querystrings with your own "session ID"?"[/color]
> A and C belongs to other organization,we are trying to plug
> additional capabilities to their site with as less as possible changes.[/color]

So you only page B is under your control?
A and C are the same domain?
Are they asp?

Then their (A and C's) security should prevent you from meddling.
The only way to do what you want, IMHO, is data mining their pages and
reconstructing them as your own. Offering that to the web could be a
copyright infringement.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?


"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
news:Xns954687C 9A6297eejj99@19 4.109.133.29...[color=blue]
> Julia wrote on 15 aug 2004 in microsoft.publi c.inetserver.as p.general:[color=green]
>> 1.When B call C,than the server which host C generate a session ID for
>> B as well?[/color]
>
> [See my example code in the other posting]
>
> Each session only has one session.id.
>[color=green]
>> 2.suppose in C.asp i am returning the SessionID to B and save
>> it in a data base than when B call C again,can i transform
>> the saved Id to the session Cookie? (put it into the HTTP hedaers?)[/color]
>
> Do not try to do what is expressly excluded. You cannot access the
> session cookie with clientside code. You cannot force an asp-server to
> use a different session.id.[/color]

Yes you can, why exactly not? Read up on DOM and how to use it in
JavaScript. If you do this successfully it's called session hi-jacking, and
is one of the simplest security attacks.
[color=blue][color=green]
>> 3." [please do not toppost on usenet]"- I don't understand.[/color]
>
> Read up on topposting via google.
> Topposting is fowned upon by many, including me.
>
> <http://www.google.com/search?q=top.po sting> 24.200 hits[/color]

Many, but most people do not give a damn. And mostly Europeans will educate
you on how badly you behave (do not top post, use the metric system, it's
just annoying).
[color=blue][color=green][color=darkred]
>>> "Why not build it yourself using a server database and
>>> querystrings with your own "session ID"?"[/color]
>> A and C belongs to other organization,we are trying to plug
>> additional capabilities to their site with as less as possible changes.[/color]
>
> So you only page B is under your control?
> A and C are the same domain?
> Are they asp?
>
> Then their (A and C's) security should prevent you from meddling.
> The only way to do what you want, IMHO, is data mining their pages and
> reconstructing them as your own. Offering that to the web could be a
> copyright infringement.[/color]

Could but probably won't. The real problem is that each server envirenment
has its own cookies, so even if you force your server to use the same
session ID as the one you're trying to interact with you will fail, because
the other server will not know a session by that id (and vice versa).
[color=blue]
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)[/color]

Jerry

Re: How exactly ASP page maintains session?

Jerry Pisk wrote on 15 aug 2004 in
microsoft.publi c.inetserver.as p.general:[color=blue][color=green][color=darkred]
>>> 3." [please do not toppost on usenet]"- I don't understand.[/color]
>>
>> Read up on topposting via google.
>> Topposting is fowned upon by many, including me.
>>
>> <http://www.google.com/search?q=top.po sting> 24.200 hits[/color]
>
> Many, but most people do not give a damn. And mostly Europeans will
> educate you on how badly you behave (do not top post, use the metric
> system, it's just annoying).[/color]

I politely asked in this thread not to toppost, Jerry.
I did not say that was bad behavour, I just frown upon it.

However if you think that topposting is bad behavour on usenet, and that
you do not give a damn [and even without any shown proof suggest that most
people think like you], I can sympatize that would be very annoying to you.

Do you feel the Europeans are your moral watchdogs?
And also an inferiority feeling about inches, ounces and miles?

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?


"Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
news:Xns9546C4F AA694Deejj99@19 4.109.133.29...[color=blue]
> Jerry Pisk wrote on 15 aug 2004 in
> microsoft.publi c.inetserver.as p.general:[color=green][color=darkred]
>>>> 3." [please do not toppost on usenet]"- I don't understand.
>>>
>>> Read up on topposting via google.
>>> Topposting is fowned upon by many, including me.
>>>
>>> <http://www.google.com/search?q=top.po sting> 24.200 hits[/color]
>>
>> Many, but most people do not give a damn. And mostly Europeans will
>> educate you on how badly you behave (do not top post, use the metric
>> system, it's just annoying).[/color]
>
> I politely asked in this thread not to toppost, Jerry.
> I did not say that was bad behavour, I just frown upon it.
>
> However if you think that topposting is bad behavour on usenet, and that
> you do not give a damn [and even without any shown proof suggest that most
> people think like you], I can sympatize that would be very annoying to
> you.[/color]

I don't care about how people post. Top posting is a little easier to read
for me but others feel different. However, I don't feel the need to tell
others what to do.
[color=blue]
> Do you feel the Europeans are your moral watchdogs?
> And also an inferiority feeling about inches, ounces and miles?[/color]

Same thing about units - who cares. They're just units. But every single
European I know ALWAYS mentions how great SI is and that everybody,
including stupid americans should switch. Nobody cares what you (or my smart
ass European friends think), use whatever you want but let others use what
they want. In your case post how you want but let others do their own thing.
If you don't like it then don't read it. It's as simple as that.
[color=blue]
> --
> Evertjan.
> The Netherlands.
> (Please change the x'es to dots in my emailaddress)[/color]

Jerry

Re: How exactly ASP page maintains session?

That will do! - Amen.


dlbjr
Pleading sagacious indoctrination!

Re: How exactly ASP page maintains session?

So, if he posted in his native language, would that work for you?

What's your deal with Europeans anyway? Were you a badly behaving American
in a European country and not get your way?

Bob Lehmann

"Jerry Pisk" <jerryiii@hotma il.com> wrote in message
news:ufGv4jxgEH A.1276@TK2MSFTN GP09.phx.gbl...[color=blue]
>
> "Evertjan." <exjxw.hannivoo rt@interxnl.net > wrote in message
> news:Xns9546C4F AA694Deejj99@19 4.109.133.29...[color=green]
> > Jerry Pisk wrote on 15 aug 2004 in
> > microsoft.publi c.inetserver.as p.general:[color=darkred]
> >>>> 3." [please do not toppost on usenet]"- I don't understand.
> >>>
> >>> Read up on topposting via google.
> >>> Topposting is fowned upon by many, including me.
> >>>
> >>> <http://www.google.com/search?q=top.po sting> 24.200 hits
> >>
> >> Many, but most people do not give a damn. And mostly Europeans will
> >> educate you on how badly you behave (do not top post, use the metric
> >> system, it's just annoying).[/color]
> >
> > I politely asked in this thread not to toppost, Jerry.
> > I did not say that was bad behavour, I just frown upon it.
> >
> > However if you think that topposting is bad behavour on usenet, and that
> > you do not give a damn [and even without any shown proof suggest that[/color][/color]
most[color=blue][color=green]
> > people think like you], I can sympatize that would be very annoying to
> > you.[/color]
>
> I don't care about how people post. Top posting is a little easier to read
> for me but others feel different. However, I don't feel the need to tell
> others what to do.
>[color=green]
> > Do you feel the Europeans are your moral watchdogs?
> > And also an inferiority feeling about inches, ounces and miles?[/color]
>
> Same thing about units - who cares. They're just units. But every single
> European I know ALWAYS mentions how great SI is and that everybody,
> including stupid americans should switch. Nobody cares what you (or my[/color]
smart[color=blue]
> ass European friends think), use whatever you want but let others use what
> they want. In your case post how you want but let others do their own[/color]
thing.[color=blue]
> If you don't like it then don't read it. It's as simple as that.
>[color=green]
> > --
> > Evertjan.
> > The Netherlands.
> > (Please change the x'es to dots in my emailaddress)[/color]
>
> Jerry
>
>[/color]

Re: How exactly ASP page maintains session?

Jerry Pisk wrote on 16 aug 2004 in microsoft.publi c.inetserver.as p.general:

Dear Jerry,
[color=blue]
> They're just units. But every single
> European I know ALWAYS mentions how great SI is and that everybody,
> including stupid americans should switch.[/color]

You must have an inferiority complex about being an American [american?] or
something?

I thought this NG was about helping each other out on ASP related problems
and ideas.

However poining to widely, though not universally, accepted netiquette is
an necessity in each NG and so on topic.

However the unit question, started by you, is not part of that [but for the
yyyymmdd format], nor is your personal animosity against Europeans.

Even not mentioning explicitly that you are an "american" when posting
these above lines, which I surmize non the less in this context, as I do
that you are probably not an Canadian, is a bit strange. This is not an
English speaking only, as Bob rightly indicates elsewhere, or American NG
where others are just guests that should behave as such.

--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)

Re: How exactly ASP page maintains session?

"Julia" <codewizard@012 .net.il> wrote in message
news:%23lZybZqg EHA.712@TK2MSFT NGP09.phx.gbl.. .[color=blue]
>
> Hi,
>
> I have the following scenario
>
> Page A.asp call page B.asp
> Page B.asp need to load page C.asp make some changes and return
> the result to IE
>
> when A.asp is first running IIS create a session object
> and B.asp need to pass the session cookie(?) to C.asp
>
> How exactly ASP page maintains sessions?
> How can pass the session from A to C using B
>
> Note that b is in a different domain.[/color]


If you want a solution that really works for diffent domains based on a
reference in the GUID you can have a look at


but it requires you not to use cookies.

Another solution would be to use cookies on *both* domains, but on the page
that passes control to the other domain, you would use a

Session.ReEntra nce = True 'this is a security sensitive operation
Response.Redire ct ("otherdomain.c om/mypage?guid="+ Session.Session ID )
'(resturns a GUID!)

more info



[color=blue]
> thanks
>
>[/color]