ASP to ASP.NET Session Variables

Question

We have a website in classic asp that we are slowly migrating to ASP.NET as necessary.

The problem of course is how classic asp and ASP.NET handle Sessions. After spending the last few hours researching the web, I found many articles, but not one that stood out over the others.

Is there a best practice for transferring session variables from and to classic asp and asp.net? Security is a must and any explanation with examples is much appreciated.

Answer 1

A simple bridge to pass a single session variable from classic asp to .net serverside (hiding your sessionvalue from the client), would be this:

• On the ASP end: An asp page to output your session, call it e.g. asp2netbridge.asp

  <%
  'Make sure it can be only called from local server '
  if (request.servervariables("LOCAL_ADDR") = request.servervariables("REMOTE_ADDR")) then
      if (Request.QueryString("sessVar") <> "") then
          response.write Session(Request.QueryString("sessVar"))
      end if
  end if
  %>
  

• On the .net end, a remote call to that asp page. :

  private static string GetAspSession(string sessionValue)
   {
      HttpWebRequest _myRequest = (HttpWebRequest)WebRequest.Create(new Uri("http://yourdomain.com/asp2netbridge.asp?sessVar=" + sessionValue));
      _myRequest.ContentType = "text/html";
      _myRequest.Credentials = CredentialCache.DefaultCredentials;
      if (_myRequest.CookieContainer == null)
          _myRequest.CookieContainer = new CookieContainer();
      foreach (string cookieKey in HttpContext.Current.Request.Cookies.Keys)
      {
          ' it is absolutely necessary to pass the ASPSESSIONID cookie or you will start a new session ! '
          if (cookieKey.StartsWith("ASPSESSIONID")) {
              HttpCookie cookie = HttpContext.Current.Request.Cookies[cookieKey.ToString()];
              _myRequest.CookieContainer.Add(new Cookie(cookie.Name, cookie.Value, cookie.Path, string.IsNullOrEmpty(cookie.Domain)
                  ? HttpContext.Current.Request.Url.Host
                  : cookie.Domain));
          }
      }
      try
      {
          HttpWebResponse _myWebResponse = (HttpWebResponse)_myRequest.GetResponse();
  
          StreamReader sr = new StreamReader(_myWebResponse.GetResponseStream());
          return sr.ReadToEnd();
      }
      catch (WebException we)
      {
          return we.Message;
      }
  }
  

Answer 2

I've used an ajax bridge (for want of a better term), specifically, a classic asp page that reads all session vars into a database with a guid, it then redirects to a .net page passing the guid in the querystring, the asp.net page reads from sql for the given guid and created those vars as sessions.

Eg, in classic asp (pseudocode code - just to give you an idea, use parameterised queries in yours etc):

'#### Create GUID
Dim GUID 'as string
GUID = CreateWindowsGUID() '#### Lots of methods on http://support.microsoft.com/kb/320375

'#### Save session to sql
For Each SessionVar In Session.Contents
   db.execute("INSERT INTO SessionBridge (GUID, Key, Value) VALUES ('" & GUID & "', '" & SessionVar & "', '" & session(SessionVar) & "')")
Next

Then, in a .net page:

'#### Fetch GUID
Dim GUID as string = Request.QueryString("GUID")
session.clear

'#### Fetch from SQL
db.execute(RS, "SELECT * FROM SessionBridge WHERE GUID = '" & GUID & "'")
For Each db_row as datarow in RS.rows
    Session(db_row("Key")) = db_row("Value")
Next

As i say, this is very rough pseudocode, but you can call the asp with a simple background ajax function, then call the .net page for the given GUID.

This has the advantage of not exposing all your vars and values to the client (as post methods do etc).