Share Session State Between ASP and ASP.NET Apps

asp:feature

LANGUAGE: C# | VBScript

ASP.NET VERSIONS: 1.0 | 1.1

Share Session State Between ASP and ASP.NET Apps

Learn how - and how not - to share Session variablesbetween your old and new apps.

By Dennis Hurst

As you migrate your Web apps from classic ASP to ASP.NET,you may not have the luxury of completely rewriting the entire applicationbefore going to production. Instead, you may need to migrate portions of the application from ASP toASP.NET, while leaving others as-is. If you need to make this type ofmigration, you will inevitably encounter the issue of how to integrate sessionstate from your ASP application into your ASP.NET app.

Unfortunately, the session management services for eachtechnology are completely separate, and there is no standard mechanism forsharing information between an ASP and an ASP.NET session. This article,however, shows a secure and simple method of sharing Session variables betweenASP and ASP.NET pages. Along the way, you'll also learn about severalalternative methods that are notsecure.

Must-Haves andMust-Nots

Any solution to the ASP/ASPX session sharing issue needsto address certain issues. First, it must be secure. Given that highlysensitive information is typically kept in session variables, security must beconsidered. A breach in a session sharing mechanism could result in a majorsystem breach.

Next, it should be elegant. A complex solution or one thatis difficult to maintain would be counterproductive. After all, this solutionis most likely a temporary solution until all of an application can be migratedto ASP.NET pages.

Finally, it should require minimal server-based componentsbeyond ASP.NET and ASP-based pages (or better yet, none at all). Many sites arehosted on remote servers; getting a vendor to run your DLL or other system filecan be challenging.

Typically, information stored in a Session variable is forinternal application use only and should be considered to be highly secure.Things that are often stored in the Session object include login state, userinformation, system information, and many potentially other secure items thatan end user should never see.Given the secure nature of information that is stored in a Session object,security must be the paramount concern. With that in mind, some of the obvioussolutions to the Session sharing issue must be avoided because they areextremely insecure. You should neverput sensitive information in a cookie, a hidden parameter, or a URL; and youshould avoid returning secure orsystem information to a browser, unless it's absolutely necessary.

The Big Question

HTTP is a stateless protocol. A request is sent by theclient to the server and a response is returned to the client. The connectionis then completed. The nature of this sessionless protocol has led vendors(like Microsoft) to come up with alternative means of maintaining session stateoutside the base HTTP protocol. In general, session state is maintained by ASPvia the use of a cookie that is sent from the server to the client. If you lookat the HTTP response, you'll see something like this:

HTTP/1.1 200 OK

Server: Microsoft-IIS/5.0 Date:Mon,07 Apr 2003 12:52:26GMT

Content-Length: 10225

Content-Type: text/html

Cache-control: private

Set-Cookie: ASPSESSIONIDCSCRRCBS=GODPKFJDPJNMHGGJDOEIDDMK;

Note that the Web server (IIS) set a cookie with a namethat starts with ASPSESSION and has some seemingly random value. This is theASP Session cookie. All subsequent requests sent from the client to the serverwill include the ASP Session cookie along with the request. This cookie allowsIIS to associate the request with a specific session object that is stored onthe server.

ASP.NET uses the same technique to maintain session state,except that a different cookie name is used. In the case where an ASP sessionand an ASP.NET session have been established with the same server, the browserwill send both the ASP and ASP.NET cookies with each request. The request willlook something like this:

GET /MixedSessions/ASPSession.aspxHTTP/1.0

...headers removed to simplify example...

Cookie: ASPSESSIONIDAAR=NGHNLJKBBJG;

ASP.NET_SessionId=q5ydd3t45....

From this we know that if you have ASP and ASP.NETapplications running in the same folder (specifically if you put the ASP andASP.NET files in the same folder or virtual directory), the user will have aSession object in both the ASP and ASP.NET environments. The question nowbecomes how you can share information in the ASP environment with the ASP.NETenvironment.

All Together Now

The goal of this solution is to allow an ASP.NET app toretrieve variables from an ASP Session object. Figure 1 illustrates the flow ofthe process that occurs:

Figure 1. By using a .NET class thatcreates a request containing the ASP Session cookie and sends it to an ASP pageto retrieve the ASP Session variable and an ASP page that authenticates therequest and returns the Session variable, you can share Session state betweenASP.NET and ASP apps.

In Step 2 above, the ASP.NET page will craft a requestthat contains the ASP Session cookie that was passed to it. This will allow theASP page to associate the request that comes from the ASPX page with the properuser's session.

Two components will be needed to make this system work.The first is a .NET class that will create a request that contains the ASPSession cookie and sends it to an ASP page to retrieve the ASP Sessionvariable. The second will be the ASP page that authenticates the request andthen returns the Session variable.

The .NET code consists of two main functions and aconstructor. The two functions work together to request Session informationfrom an ASP page and the constructor decides to which ASP page the necessaryrequest will be sent.

The constructor for this class takes a reference to theHttpContext and derives the URL it will need to send its requests to, as shownin Figure 2.

public ASPSessionVar(HttpContext oInContext)

{

  oContext = oInContext;

  ASPSessionVarASP ="SessionVar.asp";

  /* We now build aSystem.Uri object to derive the correct

     URL to send the HTTPrequest to. oContext.Request.Url

     will contain aSystem.Uri object that represents

     this ASPXs URL.

  */

  System.Uri oURL =oContext.Request.Url;

  ASPSessionVarASP =oURL.Scheme + "://"

      + oURL.Host +":" + oURL.Port.ToString()

      + ASPSessionVarASP;

}

Figure 2. The ASPXpage is going to make an HTTP request to an ASP page contained in the samefolder as this ASPX page. This section of code derives the proper URL to sendthe request to.

The primary function for this example is calledGetSessionVar, which is shown in Figure 3. It does the majority of the workdone by this application as outlined in Step 2 of Figure 1. This includescreating a WebRequest, sending it off to the ASP page, and returning theresponse.

public string GetSessionVar(string ASPSessionVar)

{

  // First get the SessionCookie

  string ASPCookieName ="";

  string ASPCookieValue ="";

  if (!GetSessionCookie

    (out ASPCookieName,outASPCookieValue))

  {

    return  "";

  }

  // Initialize theWebRequest.

  HttpWebRequest myRequest=

      (HttpWebRequest)WebRequest.Create

      (ASPSessionVarASP +"?SessionVar=" + ASPSessionVar);

  myRequest.Headers.Add

      ("Cookie: "+ ASPCookieName + "=" + ASPCookieValue);

  // Send the request andget a response

  HttpWebResponsemyResponse =

       (HttpWebResponse)myRequest.GetResponse();

  Stream receiveStream = myResponse.GetResponseStream();

  System.Text.Encoding encode =

      System.Text.Encoding.GetEncoding("utf-8");

  StreamReader readStream =

      newStreamReader(receiveStream, encode);

  string sResponse =readStream.ReadToEnd();

  // Do a bit of cleanup

  myResponse.Close();

  readStream.Close();

  return sResponse;

}

Figure 3. GetSessionVar is the primary functionin this example. It handles the process of creating, sending, and parsing theHTTP request that is used to retrieve the ASP session variable.

One utility function that is used is GetSessionCookie,shown in Figure 4. This function simply takes the Request that was passed bythe client and extracts the ASP Session cookie from it. This function is calledby the GetSessionVar function to retrieve the ASPSession cookie. Since thisASP/ASPX-based application is on the same server the Web browser will send boththe ASP and ASPX cookies with each request that is made to the Web server. Thisfunction iterates through the cookies that are contained in the Cookies collectionand finds and returns the ASPSession cookie.

private bool GetSessionCookie

   (out stringASPCookieName, out string ASPCookieValue)

{

  int loop1;

  HttpCookiemyCookie;     // Cookie variable

  ASPCookieName ="";

  ASPCookieValue ="";

  // Capture all cookienames into a string array.

  String[] CookieArray =

      oContext.Request.Cookies.AllKeys;

  // Grab individualcookie objects by cookie name.

  for (loop1 = 0; loop1< CookieArray.Length; loop1++)

  {

    myCookie =

      oContext.Request.Cookies[CookieArray[loop1]];

    if(myCookie.Name.StartsWith("ASPSESSION"))

    {

      ASPCookieName =myCookie.Name;

      ASPCookieValue =myCookie.Value;

      return true;

    }

  }

  return false;

}

Figure 4. The GetSessionCookie function willfind and return the ASPSession cookie that was sent by the browser in the HTTPrequest and return it to the GetSessionVar function.

Serve the Session Variable

The ASP code for this example was placed in an ASP filecalled SessionVar.asp. It performs two simple tasks. First, it ensures that therequest is coming from the server that the ASP page is running on. This ensuresthat the request is valid and coming ONLY from the Web server's IP address. TheASP page then returns the session variable it was asked to provide:

<%

dim sT

if Request.ServerVariables("REMOTE_ADDR") =

    Request.ServerVariables("LOCAL_ADDR") then

    sT =Request("SessionVar")

    if trim(sT) <>"" then

      Response.WriteSession(sT)

    end if

end if

%>

It is critically important that the IP address check notbe removed for any reason. Removing this would allow a hacker to accesspotentially critical information.

The following code shows how this class can be used by anASPX-based Web page that needs to retrieve Session from an ASP-basedapplication. The ASPX page will instantiate an ASPSessionVar object, passing inthe current Context to the constructor. The GetSessionVar function is thencalled, passing in the name of the ASP Session variable that is to beretrieved. No other setup is required to call the method:

//Create an ASPSessionVar object,

//passing in the current context

SPI.WebUtilities.ASP.ASPSessionVar oASPSessionVar

  = newSPI.WebUtilities.ASP.ASPSessionVar(Context);

string sTemp = oASPSessionVar.GetSessionVar("FirstName");

After executing a call to the GetSessionVar function thesTemp variable will contain the contents of the FirstName session variable fromthe ASP-based application.

The sample code in thisarticle is available for download.

DennisHurst is a seniorconsulting engineer for SPI Dynamics andis a member of its SPI Labs team of Internet securityexperts. He is responsible for working with customers and fordeveloping marketing resources that educate them on the need for Webapplication security and practical ways to protect Web sites by usingWebInspect, the company's flagship product line of Web application securityassessment solutions. Dennis is an MSCD in Visual Basic and SQL Server. You canreach Dennis at mailto:[email protected].