Passing Session from ASP to ASPX

O

OnTheAnvil

Regular
Joined
Nov 4, 2003
Messages
92
Location
Columbus, Ohio, USA
I've inherited some ASP pages that provide users with a login page. If a user logs in correctly the ASP pages sets the Session("username"), Session("password") and Session("LoginSuccessful") = TRUE. This works great for all the ASP pages that are already running. I need users to be able to log in through the ASP page and then pass their username to my ASPX page. I've been told that ASP Sessions can't be passed to ASPX Sessions although I haven't validated that it doesn't work yet. I don't want to do this using the query string because it would be extremely easy for someone to pretend they are someone else by changing the query string. I found a comment about encrypting query strings on this site:

http://www.dotnetjunkies.com/how to/99201486-ACFD-4607-A0CC-99E75836DC72.dcik

but I think this only works if the page generating the query string is an ASPX page which in my case it isn't. I don't have to have rock solid security but I don't want to leave huge holes for people to exploit either. I'm open to even crazy ideas if someone has some.


Thanks,
OnTheAnvil
 
Not too secure, but no worse than querystrings. How about a post from an asp page with a hidden variable of the user's id to a transfer page, which reauthenticates the user in aspx. At least the user doesnt see the querystring. its the lesser of two evils.
 
kahlua001 said:
Not too secure, but no worse than querystrings. How about a post from an asp page with a hidden variable of the user's id to a transfer page, which reauthenticates the user in aspx. At least the user doesnt see the querystring. its the lesser of two evils.
Click to expand...

I'm not to sure what you mean by post. I understand how hidden fields work but how does an ASP page get at value into a hidden field on an ASPX page? Your idea sounds promising though.


~OnTheAnvil
 
Instead of passing along a user's id in the querystring like test.aspx?user_id=1. On the asp page you do..

Code: 
<form method="post" action="test.aspx">
   <input type="hidden" name="user_id" value="1"> //In a perfect world, users dont look at your html :)
   <input type="submit" value="Click here to go to our .net version of this page, it will rememer you.">
</form>

Then on your .net page, you do

Code: 
If Not IsPostBack Then
   '.Net session variable
   Session("ID") = Request.Form("user_id")
End If
 
kahlua001 said:
Instead of passing along a user's id in the querystring like test.aspx?user_id=1. On the asp page you do..

Code: 
<form method="post" action="test.aspx">
   <input type="hidden" name="user_id" value="1"> //In a perfect world, users dont look at your html :)
   <input type="submit" value="Click here to go to our .net version of this page, it will rememer you.">
</form>

Then on your .net page, you do

Code: 
If Not IsPostBack Then
   '.Net session variable
   Session("ID") = Request.Form("user_id")
End If
Click to expand...


So on my test.aspx page I need a hidden textbox called "user_id" or does your code somehow alter that page? Or does it create it dynamically? Sorry I've never seen anything like this but it sounds really interesting. Definetly better then what I've had before.

Thanks,
OtA
 
On your old school .asp page, you have a form which posts to your new .net page. On your old .asp page, you hide the session variables you want to post or send to your new page. The new page will then take it in and set its own session variables, record to the db, etc.

On the old .asp page...
Code: 
<input type="hidden" name="user_id" value='<%= intUserID %>'>
Dynamically fill this hidden field, its not a textbox, just a hidden key/pair value. So when the .asp page submits to the new .aspx page, it passes along this piece of data.
 
kahlua011 thanks for taking so much time to explain this to me but I'm still a little lost. I think I'm understanding the basic concept but I don't understand what you mean by "post". I understand how to set the value of the hidden field on the asp page but how is that value getting onto the aspx page? Is the aspx page included in a second form on the asp page? Are you doing a Response.Redirect? I'm getting lost on this word "Post".
 
In html, when you submit a form, the form can have two methods, "post" or "get". So when i say "post", i mean submitting the form to a (html page, cgi script, asp page, etc..) using the "post" method. When you "post" a form, the receiving page uses Request.Form, using "get", the receiving page uses Request.Querystring
 
I finally got it working. Thanks for taking the time to explain this. Once I got it working I attended a Microsoft webcast and they explained this in a little more detail.

Thanks,
OnTheAnvil
 
Back
Top