Solved

session variable lost on redirect when in frameset

Posted on 2004-08-20
37
1,369 Views
Last Modified: 2012-06-27
I wrote a members only section that I have to integrate in to a canned website that loads in a frameset.  In other words, when the user clicks a button they get my log in page which is hosted in an entirely separate place from the frames around it.  When the user logs in a session variable is set, then they are redirected to another one of my pages to be loaded inside the frameset.  When this happens my session variables are lost.  Why is this?
0
Comment
Question by:kellybelly
  • 17
  • 13
  • 3
  • +3
37 Comments
 
LVL 5

Expert Comment

by:richswyatt
ID: 11853995
What do you mean by a "Separate place"...  Do you just mean that the members only pages are in a different host server or just a different spot on the page?

If they are on a different server- this could be your problem.  

Also - it is possible that your server's PHP install doesn't support Sessions?

Do you have some code examples?
0
 

Author Comment

by:kellybelly
ID: 11854203
it supports sessions because I can use it outside of the frames.  The pages are hosted on a different host server.

In the frames http://17409.myersinternet.com

not in the frames http://www.biggersmarter.com/ht
0
 
LVL 10

Expert Comment

by:avidya
ID: 11857143
Hi Kellybelly,

You're having to sites and thus two applications. Session vars are stored for one unique application.
However, you can pass the vars to the other site and make the login kinda "transparent"
It can be done, but posting youre code helps.

Here you can read about sessions.
http://www.w3schools.com/asp/asp_sessions.asp

0
 
LVL 2

Expert Comment

by:cgarvey
ID: 11858761
The other server presumably has a different domain name, and cookies can only be accessed by the server that created them.
Session variables still rely on cookies to identify and track the client, though session cookies are treated differently than conventional cookies.

The way around this is either to to make a hidden form field which is populated dynamically with the session contents and make the link a post, then have the page on the new site pick up the form variables and reset them or else you could pass the variables along as part of the link e.g. http://www.mysecurearea.com/loginok.asp?username=bob

HTH

Colm
0
 

Author Comment

by:kellybelly
ID: 11858778
but I am not trying to get any of the externally hosted frames to access the cookies.  Do the log in using both links posted above and I think you will understand a little better.  I am only trying to access with the code I am hosting.  The difference between the 2 links is that one is in frames hosted elsewhere, and one is not.
0
 
LVL 10

Expert Comment

by:avidya
ID: 11858884
do you have an test account?
0
 

Author Comment

by:kellybelly
ID: 11860543
the log in info i gave is for the test account.  you can do whatever you want on it.
0
 
LVL 10

Expert Comment

by:avidya
ID: 11863646
Hi kelly,

I'm sorry, but maybe i'm not understabding you coorectly.
I do not wish to register with my email to obtain an account, thats why I asked you for an testaccount. Is this possible?
0
 
LVL 12

Expert Comment

by:adrian_brooks
ID: 11867527
Hi Kelly,

I'm going to provide an extention to what avidya had stated already.
As stated, session variables are stored and used on the server that generated them, but a seamless work around would be such that you would "transfer" any session variable data that you are hoping to to use to the second server by use of the post or get method of a form submission. If the session data isn't anything that would violate the security of your users or your site, then the easiest way to achieve this would be to retrieve your current session variables, store them to $_GET[] variables and then simply contruct a call to the respective PHP doc on the second server.
Make sure that the PHP doc on the receiving server first creates an session, then simply parse all your passed data into duplicated $_SESSION[] vars on the receiving server and your good as gold without any loss of data.

If anyone has any better suggestions, I would love to hear them as this seems to be the only way I could think of to acheive this.

Good Luck, Kelly.
0
 
LVL 10

Expert Comment

by:avidya
ID: 11868959
kelly is using asp, not PHP
0
 
LVL 12

Expert Comment

by:adrian_brooks
ID: 11868972
ooops...so sorry

*rather embarrassed now*
0
 

Author Comment

by:kellybelly
ID: 11870438
avidya - the test account is admin@admin.com with a password of admin

adrian - no problem - I should have addressed that before

Here is my log in page:----------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("email"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization=""
  MM_redirectLoginSuccess="home.asp"
  MM_redirectLoginFailed="?msg=failed"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_HT_STRING
  MM_rsUser.Source = "SELECT email, pword, ID, Administrator"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM brokers WHERE email='" & MM_valUsername &"' AND pword='" & CStr(Request.Form("password")) & "' and not isNull(accepted)"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
      Session("user") = MM_rsUser("ID")
      if MM_rsUser("administrator") then Session("type") = "admin"
      Session.Timeout = 20
      If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
      if request.queryString("dest") = "RFC" then
      response.redirect "http://homeconnect.htmortgage.net"
      else
    Response.Redirect(MM_redirectLoginSuccess)
      end if
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>





<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<img src="images/logo.gif" width="373" height="150" align="left" vspace="50">
<h1>HomeConnect Log in:</h1>
<% ' if user log in failed display message
      if request.querystring("msg") = "failed" then
      %>
      
<h3>Log in failed.  If you have recieved an email from Hometown Mortgage stating that you have been accepted as a registered use of HomeConnect please try again. </h3>
<h3><a href="pwordReminder.asp">Click here</a> if you have forgotten your password.</h3>
<h3>If problem persists <a href="contact.asp?msg=help&type=login">click here</a> to email a help request Hometown mortgage.
      </h3>
<%
      end if
      %>

<p><font size="-1"><%= date %></font></p>
<form name="logIn" method="post" action="<%=MM_LoginAction%>">
   
 
<table border="0" cellspacing="0" cellpadding="0">

       
 
<tr>
 
<td>
 
<h4>Email:            
</h4>
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="text" name="email">
            </td>
</tr>
       
 
<tr>
 
<td>
 
<h4>Password:</h4>
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="password" name="password">
            </td>
</tr>
       
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="submit" name="Submit" value="Log in">
                </td>
</tr>
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td>&nbsp;</td>
</tr>
       
 
<tr>
 
<td>
 
<h4>Options:</h4>
</td>
<td width="10">&nbsp;</td>
<td><a href="register.asp">First time users click here for registration</a></td>
</tr>
 
<tr>
 
<td height="10">
</td>
<td width="10"></td>
<td></td>
</tr>
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td><a href="pwordReminder.asp">Forgot password</a></td>
</tr>
 
<tr>
 
<td>
<input type="hidden" name="dest" value="<%= request.queryString("dest") %>">
</td>
<td width="10">&nbsp;</td>
<td>&nbsp;</td>
</tr>
 
<tr>
 
<td colspan="3"><a href="EL/default.asp">Employment opportunities with Hometown Mortgage</a></td>
</tr>
       
 
   
 
</table>
<p>&nbsp;</p>
</form>
<p>&nbsp;</p>
</body>
</html>



And here is the page after log in:---------------------------------------------------------------------------------------
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">

<h1>Welcome</h1>
<!--#include file="header.asp" -->
<h2><img src="images/forms.gif" width="225" height="60"></h2>
<h2>&nbsp;</h2>
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top">
<h4>Broker forms:</h4>
</td>
<td width="10">&nbsp;</td>
<td>
<p><a href="forms/BROKERPACKAGE.pdf" target="_blank" onClick="alert('This will load a PDF form in a new window.  Please allow a minute for it to load.\n\nYou may fill the form on the screen by clicking in boxes and tabbing through to all fillable fields, then print and fax or mail to Hometown')">Broker package</a></p>
<p><a href="forms/rateLock.pdf">Rate Lock Schedule</a></p>
<p><a href="forms/SUBMISSIONFORM.pdf">Preliminary Submission form</a></p>
<p><a href="forms/CONDOMINIUMCHECKLIST.pdf">Condominium Checklist</a></p>
</td>
<td width="200">
<p>&nbsp;</p>
</td>
</tr>
</table>
</body>
</html>

Thanks for your hard work!!
0
 
LVL 10

Expert Comment

by:avidya
ID: 11872153
Hi kelly,

thanks for the test account.
Looks like you generated your code with Dreamweaver, is that correct?
And, if so, do you understand the code?
(this way i can estimate your skill level.

For the first round: Could you alter the "page after login" like this:
<h1>Welcome<%=Session("user")%></h1>

This will display the var stored in the session an we can see if the session var works.

0
 

Author Comment

by:kellybelly
ID: 11872198
I could write all that code.  I understand it all pretty well.  I will make the change
0
 

Author Comment

by:kellybelly
ID: 11872209
but you should be getting a redirect to a 'you are not logged in' page if there is not session variables
0
 
LVL 10

Expert Comment

by:avidya
ID: 11872963
Hi, lets set up a working vocabulary:

1) http://17409.myersinternet.com gave me:
  Password protected area
  You are either not logged in or your session has timed out.
  Please click here to log in.
  Click here to register as a new user

2) http://www.biggersmarter.com/ht Logged on fine, as you know ;-)

question
- are all the pages from site 1 on the same server?
The menu page has http://www.hometownmtg.net/menu_files as location and the loginpage has http://209.132.227.16/ht/default.asp as location.
As far as I can tell, is that the login page at site 1 is a link to site 2 (http://209.132.227.16/ht/)
can you tell me if this is correct?



0
 

Author Comment

by:kellybelly
ID: 11873361
site 1 - menu page (frame) and header page (frame) on a separate server as log in pages.  This is a canned website that I am adding customized pages to.

site 2 - all pages hosted on same server.  This is the customization that I want to load in to the content frame of site 1.   biggersmarter.com is the same as 209.132.227
0
 
LVL 10

Expert Comment

by:avidya
ID: 11873737
Okee, now we're getting somewere.

For session vars to work the need to be on the same webserver and within the same web app.

Can you place the logon pages at http://17409.myersinternet.com ?

0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:kellybelly
ID: 11876873
no - that is where the canned website is.  The tools that I am developing have to be hosted elsewhere.
0
 

Author Comment

by:kellybelly
ID: 11881807
I would add more points if I could.  There has got to be a work around or solution to this problem.  

In a nutshell - the session variables are not available when the page is loaded inside frames that are hosted on another server.  Hasn't anyone out there ever made this work before?  I will even open another question and give it another 500 points...

Thanks in advance...
0
 
LVL 3

Expert Comment

by:Ayesha_K
ID: 11882793
Hi,

on the SECOND server create another asp page called SetSession.asp having the following code
NOTE: use the file name in the Response.redirect as the one of your login action page ... means the file with the asp code pasted above ... but don't forget to include the querystring variable Validated=Yes
____________________________________

<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%

     Session("user") = Request.QueryString("user")
     Session("type") = Request.QueryString("type")
     Session.Timeout = 20
     Session("MM_UserAuthorization") = Request.QueryString("MM_UserAuthorization")
     Response.redirect("LoginServer1.asp?Validated=Yes")
%>
__________________________________________________

Now change your login action file with the code pasted above as follows

___________________________________________________
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%
'''' If Validated=Yes means that this page has already set session variables on this page and on the other server
''''' so you just have to redirect the page

if Request.QueryString("Validated") = "Yes" then
     if request.queryString("dest") = "RFC" then
          response.redirect "http://homeconnect.htmortgage.net"
     else
          Response.Redirect(MM_redirectLoginSuccess)
     end if

end if

' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("email"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization=""
  MM_redirectLoginSuccess="home.asp"
  MM_redirectLoginFailed="?msg=failed"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_HT_STRING
  MM_rsUser.Source = "SELECT email, pword, ID, Administrator"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM brokers WHERE email='" & MM_valUsername &"' AND pword='" & CStr(Request.Form("password")) & "' and not isNull(accepted)"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
     Session("user") = MM_rsUser("ID")
     if MM_rsUser("administrator") then Session("type") = "admin"
     Session.Timeout = 20
     If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    ''''''''''''''' Add the complete path of SetSession.asp here including the path to server2
    Response.redirect("SetSession.asp?user=" & Session("user") & "type=" & Session("type") & "MM_UserAuthorization=" & Session("MM_UserAuthorization"))
    ''''''''''''''' Code change end
    MM_rsUser.Close
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
____________________________________________________
0
 
LVL 10

Expert Comment

by:avidya
ID: 11887048
Hi Kelly,

It's not al about hte points ;-)
(btw, they are more then enough)

Ayesha 's code is showing you how to transfer the vars.
This should work. Not able to test it, blew up my computer.

If it doesn't work, we will think of something else to get it going.
Like this:
I'm not a native english speaker, so I don't know what a "canned' site is, but i'm guessing it means that you cannot alter the site.
Maybe this is an option then, why not move the entrire content of site one to site two?
In site one there will be one page which redirects (http://17409.myersinternet.com) to the second site. This can be done without anybody noticing.

You ran in some trouble now, because of the double hosting, youre bound to get annoid by that later on.
Also you will have one place where the website is maintained.



0
 

Author Comment

by:kellybelly
ID: 11888574
ayesha - basically what you are saying then is put the same session variables on both sites?  I don't know if I can do this - not sure if the other site will let me use ASP.  I don't have a lot of access on the other server.  I know I can upload html and images
0
 

Author Comment

by:kellybelly
ID: 11891949
what about using cookies instead of session variables?
0
 
LVL 3

Expert Comment

by:Ayesha_K
ID: 11892207
cookies all also application specific ... i'm not sure but i don't think any application can set or read cookies written by some other application ... like kind of machine specific from where those were written ... not sure though

i used the technique of creating same session variables twice on different occasions ... 1 was when i had to use asp and aspx both at the same time in an application ... and these two don't share the session variables ... and i did it recently with ASP.NET also when had to join two applications ... and machine keys were not working ...

i'll suggest you to upload the asp file on the other server and try to run it ... u'll find out that u can do that or not
0
 

Author Comment

by:kellybelly
ID: 11892236
thanks - I will get back to you...
0
 
LVL 10

Expert Comment

by:avidya
ID: 11894574
Hi Kelly,

If you can't upload the asp pages on site one then try the rediecrt option.
This way you will have all your contant on one sever and the clients don't have to know that the are redirected to the sevrer you have full control on.
0
 

Author Comment

by:kellybelly
ID: 11894988
Avidya - at the risk of sounding difficult - I can't do the redirect.  If you look on the navigation there is an 'about us' link, a 'loan process' link, and an 'FAQs' link.  The content on these is maintained by the client through tools that are linked to server #1 (the canned site.)

Ayesha - here is what I don't get.  Why do I need to establish the session variables or cookies on server #1 when server #1 never looks at them?  It's only the stuff from server#2 that loads in the content window that needs the variables.

Thanks again you guys.  Please stay with me, I know we are going to get this...
0
 
LVL 10

Expert Comment

by:avidya
ID: 11895352
Hi Kelly,

Thanks for explaining, leaving the redirect alone now.
About youre session variables or cookies on server #1- question.
Since you are on server this is where the vars wil be set. On s2 set the vars over there too, otherwise the session times out.
For setting the vars at S2 you need to transfer them from s1 to s2.
you can do this by reading the session vars from s1 and pas them to S2 and store them in a session var



0
 

Author Comment

by:kellybelly
ID: 11895905
I didn't understand what you are saying very well - I'm sorry.  I know you said before that you are not a native English speaker so I really appreciate your work on this.  But could you explain it a different way maybe

Just to clarify, there is nothing happening on server #1 except the link to the login page.  All of the setting and retrieving of session variables and/or cookies will be done on server #2, which loads in a content window with frames from server #1 surrounding it.
0
 
LVL 3

Assisted Solution

by:Ayesha_K
Ayesha_K earned 250 total points
ID: 11900573
Hi Kelly,

the frames you are using from server # 1 require any kind of authentication or if else depending upon the user logged in right ??? so that means u DO need the session variables on server # 1 also ... if this is not the case .... then i'll have to go through all of the topics again and read carefully this time :)

sorry for taking too much time...

Regards
0
 

Author Comment

by:kellybelly
ID: 11902251
no - no authentication at all.  The header frame is just graphics.  The left frames is strictly links with absolute addresses in them.  Those are the 2 that are hosted on server 1.  Don't worry about how much time you are taking - thanks for sticking with me!
0
 
LVL 10

Accepted Solution

by:
avidya earned 250 total points
ID: 11920761
Hi Kelly,

I've ceated a page with several frames,  one frame is redirecting to another website on a different webserver, just like you are doing.

After testing arround whole day i have a working page...
If I put the next line BEFORE i set any session object, all the session vars work!  
     Response.Cookies("MainCookie").Domain = "mahi.nl"

Where "mahi.nl" is the recieving domain, in your case that would be "biggersmarter.com".

TIP: While testing I altered my original code, which was working fine on www.mahi.nl but not when called in frames from another domain/site.
After if found  the line Response.Cookies("MainCookie").Domain = "mahi.nl" , I took my original code, placed the line imidiatly after after the first "<%" and I didn't had to alter a thing.

This got me started:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q178/0/37.asp&NoWebContent=1
0
 

Author Comment

by:kellybelly
ID: 11938341
OK guys - I got this working BUT

I still have a slight problem.  I can navigate if I click links within the main content frame.  But I still cannot click on a members only link in the menu frame (on the left) and get to the page I need.  Even if I am logged in and I know that cookies are there the site does not see them when I am navigating from that left frame.  Remember, the left (navigation buttons) is hosted on server #1 and the content for memners only is hosted on server #2.

Can you throw me one more bone?  BTW - I am already specifying a domain for the cookies.
0
 
LVL 10

Expert Comment

by:avidya
ID: 11944743
Hi Kelly,

Just logon to the member aprt and all the links where working fine?
I got all the pages with clicking all the buttons serveral times, so I switch from #1 to #2 and back an it still is workeing.
 guess you fixed it somehow?
0
 

Author Comment

by:kellybelly
ID: 11945429
OMG!!!!  I have no idea why that works now.  I have XP at home and 2000 here - could that be the difference?
0
 
LVL 10

Expert Comment

by:avidya
ID: 11946390
Hi again,

don't think so.
I've alse xp (pro) , w98, and w2000, they all work fine.

Could be a client site thing do, cleaning your IE cache will help and try ctrl-F5 for reloading the site.
This will bypass your client cache and you will be getting a "fresh" page.

Also in IE, my settings for temp files is "refresh every visit to the page"
This helps to.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Accessibility and Usability are two concepts that seem to be closely related.  But, too many people seem to have a distorted perception of them. During last five years, those two words have come to the day-to-day work of almost every web develope…
Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now