[Mono-list] Cross-Browser Session Mixing

A Rafael D Teixeira rafael.teixeirabr at terra.com.br
Mon Jul 11 11:21:29 EDT 2005 

Oops, I did open my mouth too soon.

Cookieless SessionState DOES work, but on further testing, session data
was still shared, as it seems that even as the url-mangling mechanism
did generate different url, both were still keyed to the same session
data. Probably that was intentional to make both mechanisms behave the
same.

But let we look at your real problem.

Thinking as the user for a moment, I do think that in general all pages
from any single "web application" I'm using need to share my session
information (login/preferences/etc.)

What you may need is more like "page-sequence" state preservation.
Aside from Hidden Fields you can preserve information in the ViewState
(that is client sent, but can be configured to do so encrypted), if you
are preserving content while postbacking in the same asp.net page.

In the server-side, the option is to double the indirection when
accessing the Session state. Think of saving a Hashtable of values in a
session variable named uniquely as you enter for the freshly in the page
for this session, this name should be preserved in ViewState for the
page.

Sorry for the confusion,

Googling MSDN/Mono is your power tool.

Fun,

On Mon, 2005-07-11 at 11:57 -0300, A Rafael D Teixeira wrote:
> Hi,
> 
> You can still keep session variables without the same browser conflict.
> Just configure session state to not use cookies. It will remain the
> same, but will mangle the url to keep the key there. It becomes
> something like:
> 
> http://localhost/WebApplication1/(uwvgovu0hljrmdqcl1aajf2f)/WebForm1.aspx
> 
> In practical terms all you need to do is to change your web.config,
> setting  cookieless to "true" in /configuration/system.web/sessionState.
> 
> Details about this entry of the configuration file:
> 
> http://msdn.microsoft.com/library/default.asp?url=/library/en-
> us/cpgenref/html/gngrfsessionstatesection.asp
> 
> Cookieless Session-state works nicely with mono/xsp/mod_mono, so far as
> I tested.
> 
> Pitfall
> -------
> One of the problems in the MS implementation is reported at:
> 
> http://support.microsoft.com/?kbid=828330
> 
> This probably will also manifest in xsp/mod_mono in linux as even more
> things are case-sensitive, just ensure your URL are kept consistently
> case-wise.
> 
> Enjoy,
> 
> 
> On Mon, 2005-07-11 at 08:39 -0400, David P. Donahue wrote:
> > > So what do you do without sessions?  Bundle all required data inside
> > > each page, either in the URL (yuck) or as a set of hidden form
> > > variables:
> > > 
> > > 	<input type="hidden" name="Foo" value="Bar"/>
> > > 
> > 
> > I came across that same idea back when I began developing websites with 
> > .NET, but it's not feasible for me from a security standpoint.  Many of 
> > these values I don't want the user to be able to change before posting 
> > back to the server, or even see in some cases.  For my needs, the 
> > information exchange for which I use Session variables must happen 
> > entirely server-side.
> > 
> > 
> > Regards,
> > David P. Donahue
> > ddonahue at ccs.neu.edu
> > http://www.cyber0ne.com
> > _______________________________________________
> > Mono-list maillist  -  Mono-list at lists.ximian.com
> > http://lists.ximian.com/mailman/listinfo/mono-list
> > 
> > E-mail classificado pelo Identificador de Spam Inteligente Terra.
> > Para alterar a categoria classificada, visite
> > http://mail.terra.com.br/protected_email/imail/imail.cgi?+_u=rafael.teixeirabr&_l=1,1121085379.440266.12381.casama.terra.com.br,3862,Des15,Des15
> > 
> > Esta mensagem foi verificada pelo E-mail Protegido Terra.
> > Scan engine: McAfee VirusScan / Atualizado em 08/07/2005 / Versão: 4.4.00 - Dat 4531
> > Proteja o seu e-mail Terra: http://mail.terra.com.br/
> > 
> 
> _______________________________________________
> Mono-list maillist  -  Mono-list at lists.ximian.com
> http://lists.ximian.com/mailman/listinfo/mono-list
> 
> E-mail classificado pelo Identificador de Spam Inteligente Terra.
> Para alterar a categoria classificada, visite
> http://mail.terra.com.br/protected_email/imail/imail.cgi?+_u=rafael.teixeirabr&_l=1,1121093830.44440.17695.casama.terra.com.br,6207,Des15,Des15
> 
> Esta mensagem foi verificada pelo E-mail Protegido Terra.
> Scan engine: McAfee VirusScan / Atualizado em 08/07/2005 / Verso: 4.4.00 - Dat 4531
> Proteja o seu e-mail Terra: http://mail.terra.com.br/
>

More information about the Mono-list mailing list