asp.net can you mix cookieless with cookie session

2020-07-22 10:41发布

站内问答 / 后端开发
526 1 4

Is it possible to use mixed cookieless sessions with cookie sessions?

I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible?

http://www.mydomain.com/confirm.aspx

redirects to

https://www.mydomain.com/(S(za1tw2l2k02jer4fiskzlovd))/payment.aspx

Note: the session Id in the latter url.

So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.

Am I missing a trick?

Thanks

1条回答
三岁会撩人
2楼-- · 2020-07-22 11:01

I've found a solution that seems to work

When transfering between http and https i've the following:

As you can see I'm passing the session id manually to the https page.

protected void btnPurchase_Click(object sender, EventArgs e)
{
        // Confirm puchase code **

        string sslPaymentPath = string.Format("https://{0}/payment.aspx?sid={1}", Request.Url.DnsSafeHost, Session.SessionID);

        Response.Redirect(sslPaymentPath);

}

Upon reaching the ssl page, asp.net sees the request as a new session so I use the Start_Session method in the global.asax to abandon the newly created session and add a new session cookie with the session id passed in from the query string. Because the AquireSessionState which populates the session keyValue pair has already been run by this point I need to redirect the page back to itself to repopulate those values.

It seems to work really well :)

    void Session_Start(object sender, EventArgs e)
    {
        bool isPaymentPage = (Request.Path.ToLower().IndexOf("payment.aspx") != -1);

        // Code to load session over ssl. When changing between two sessions
        if (isPaymentPage && Request.QueryString["sid"] != null && Request.IsSecureConnection)
        {
            string passedSessionId = Request.QueryString["sid"];
            Session.Abandon();
            Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", passedSessionId));
            Response.Redirect(Request.Url.LocalPath, true);
        }
    }

Also with regard to somebody clicking on an external link whilst browsing the ssl purchase.aspx page i've written following in the global.asax to redirect traffic back to standard none ssl pages if it's not the payment page.

void Application_BeginRequest(object sender, EventArgs e)
    {
        bool isPaymentPage = (Request.Path.ToLower().IndexOf("payment.aspx") != -1);

        // In the case someone has navigated away from the payment page redirect them back to the none secure protocol.
        if (!isPaymentPage && Request.IsSecureConnection)
        {
            bool isAxdResource = (Request.Path.ToLower().IndexOf(".axd") != -1);

            if (!isAxdResource)
            {
                string url = Request.Url.AbsoluteUri.ToLower().Replace("https://", "http://");
                Response.Redirect(url,true);
            }
        }
    }

Hope somebody finds this useful, I was stuck for a while trying to come up with a nice solution.

My inspiration came from this url.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(4)