Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

A secure way to read ASP session variables from ASP.NET

Session State

A secure way to read ASP session variables from ASP.NET

by chpicker Posted Oct 12, 2007 (Edited Oct 12, 2007)

There are many valid reasons for wanting to have a classic ASP web application and an ASP.NET application share the same session. You may be migrating a large one over to ASP.NET and need to convert it in stages. You may be tasked with adding a new ASP.NET module to an existing ASP page. However, sending ASP session variables to the end user's web browser through forms or cookies is a major security concern. It exposes the inner workings of the ASP application to the web clients.

In researching how to accomplish it, I came across [link http://searchvb.techtarget.com/tip/1,289483,sid8_gci951935,00.html]this post[/link] which details a secure way to get your ASP session variables into your ASP.NET application. What you basically do is write a new ASP page which receives a request for a session variable and returns it. It will only respond to requests from the local machine. Then you write an ASP.NET class which sends the request to the ASP page. The example was given in C#, but my company wants everything in VB, so I converted it.

Here is the code for the ASP page you will create. Name it "SessionVar.asp".

Code:

<%
  Dim sT
  if Request.ServerVariables("REMOTE_ADDR") = Request.ServerVariables("LOCAL_ADDR") Then
    sT = Request("SessionVar")
    if Trim(sT) <> "" Then
      Response.Write Session(sT)
    End If
  End If
%>

Next, in your ASP.NET application, create a new class. Here is the code for the class:

Code:

Imports Microsoft.VisualBasic
Imports System.Net
Imports System.IO

Public Class ASPSessionVar
    Dim oContext As HttpContext
    Dim ASPSessionVarASP As String
    Public Function GetSessionVar(ByVal ASPSessionVar As String) As String
        Dim ASPCookieName As String = ""
        Dim ASPCookieValue As String = ""
        If Not (GetSessionCookie(ASPCookieName, ASPCookieValue)) Then
            Return ""
        End If

        Dim myRequest As HttpWebRequest = CType(WebRequest.Create(ASPSessionVarASP + "?SessionVar=" + ASPSessionVar), HttpWebRequest)
        myRequest.Headers.Add("Cookie: " + ASPCookieName + "=" + ASPCookieValue)

        Dim myResponse As HttpWebResponse = CType(myRequest.GetResponse(), HttpWebResponse)
        Dim receiveStream As Stream = myResponse.GetResponseStream()
        Dim encode As System.Text.Encoding = System.Text.Encoding.GetEncoding("utf-8")
        Dim readStream As StreamReader = New StreamReader(receiveStream, encode)
        Dim sResponse As String = readStream.ReadToEnd()

        myResponse.Close()
        readStream.Close()
        GetSessionVar = sResponse
    End Function

    Private Function GetSessionCookie(ByRef ASPCookieName As String, ByRef ASPCookieValue As String) As Boolean

        ASPCookieName = ""
        ASPCookieValue = ""
        For Each myCookie As String In oContext.Request.Cookies
            If myCookie.StartsWith("ASPSESSION") Then
                ASPCookieName = myCookie
                ASPCookieValue = oContext.Request.Cookies(myCookie).Value
                Return True
            End If
        Next
        Return False
    End Function

    Public Sub New(ByRef oInContext As HttpContext)
        oContext = oInContext
        ASPSessionVarASP = "SessionVar.asp"

        Dim oURL As System.Uri = oContext.Request.Url
        ASPSessionVarASP = oURL.Scheme & "://" & oURL.Host & ":" & oURL.Port.ToString() & "/" & ASPSessionVarASP
    End Sub
End Class

Now, to read an ASP session variable from your ASP.NET application, just create an instance of the ASPSessionVar class and call its GetSessionVar() method. Here's a simple example:

Code:

Dim MyVar as ASPSessionVar = New ASPSessionVar(HttpContext.Current)
Dim username As String = MyVar.GetSessionVar("username")

Note: This code works with ASP.NET version 2.0.50727.210 with .NET Framework version 2.0.50272.42. It should work fine with others, but this is the only one I've tested it on.

Please Note: 1 is Bad, 10 is Good :-)

Part and Inventory Search

This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.

Accept Learn more…

Back

Top