Cookieless InProc sessions (reset on its own)

[Ron Vecchi]

I've been searching to find an answer but can not.

I have a site that started out using the defaul session cookieless="false"
Most pages have an IFrame located on them. I decided to change to
cookieless="true"

Now the session is completely reset and a new session id is given. Are
there known issues with cookieless sessions and IFrames when using InProc
session handling.

Thanks,

Ron

 

[Natty Gur]

Hi,

When Cookieless is used by ASP.NET session id embedded into page URL. If
for some reason request arrives to the server without session id in URL
address ASP.NET will create new session.

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)52-8888377


*** Sent via Devdex http://www.devdex.com ***
Don't just participate in USENET...get rewarded for it!

 

[[MSFT]]

Hi Ron,

When Cookieless is set to true, the session id will be displayed in url.
When we have iframe in a web form and its src is in same asp.net
application, it will have same session id. What did you mean "Now the
session is completely reset and a new session id is given."? Can you give a
sample?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 

[Ron Vecchi]

well, the portion of the site having problems is the administrative
section. So first thing a user logins in, handled by th eapplication not
Windows or anything like that. Then they are taken to a page with a bunch
of links. Each link takes them to a page which in turn houses a IFrame
within.

The application is setup that if you go to any page and are not logged in
(which is stored in session) in will redirect you to the login page.

This is exactly what is happeneing. After being redirect I am noticing the
new sessionid in the url

 

[[MSFT]]

Hi Ron,

How did the user are taken to a page with a bunch of links, with
Response.Redirect? Is this page in same ASP.NET application? Is the session
id correct for this page?

Luke

 

[Ron Vecchi]

The user will click a link on the inital page after loging in. Note the
initial page has no IFrames on it, there is a list of links that all point
to different pages; each containing an IFrame on it.

To answer your question, the pages with the IFrames are in the same
application, The sessions are lost when linking to any one of the pages
with the IFrames. Basically each of the pages that house the IFrames check
to see if the user is logged in by way of a stored value in the session. If
not, they get directed to the login page to re-login. So this is telling me
that the sessions are lost.

NOTE: This full process works fine when cookieless is set to false.


Thanks

 

[[MSFT]]

Hi Ron,

I perform such a test but I didn't found the same issue. To perform further
troube shoot, I suggest you try to output the session ID Instead of
redirect to the login page, for example,

Response.Write(Session.SessionID);

In this way, you can know they are in same session

Luke

 

[Ron Vecchi]

Ok thanks, will try