session variable lost on redirect when in frameset

I wrote a members only section that I have to integrate in to a canned website that loads in a frameset.  In other words, when the user clicks a button they get my log in page which is hosted in an entirely separate place from the frames around it.  When the user logs in a session variable is set, then they are redirected to another one of my pages to be loaded inside the frameset.  When this happens my session variables are lost.  Why is this?
kellybellyAsked:
Who is Participating?
 
avidyaCommented:
Hi Kelly,

I've ceated a page with several frames,  one frame is redirecting to another website on a different webserver, just like you are doing.

After testing arround whole day i have a working page...
If I put the next line BEFORE i set any session object, all the session vars work!  
     Response.Cookies("MainCookie").Domain = "mahi.nl"

Where "mahi.nl" is the recieving domain, in your case that would be "biggersmarter.com".

TIP: While testing I altered my original code, which was working fine on www.mahi.nl but not when called in frames from another domain/site.
After if found  the line Response.Cookies("MainCookie").Domain = "mahi.nl" , I took my original code, placed the line imidiatly after after the first "<%" and I didn't had to alter a thing.

This got me started:
http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/q178/0/37.asp&NoWebContent=1
0
 
richswyattCommented:
What do you mean by a "Separate place"...  Do you just mean that the members only pages are in a different host server or just a different spot on the page?

If they are on a different server- this could be your problem.  

Also - it is possible that your server's PHP install doesn't support Sessions?

Do you have some code examples?
0
 
kellybellyAuthor Commented:
it supports sessions because I can use it outside of the frames.  The pages are hosted on a different host server.

In the frames http://17409.myersinternet.com

not in the frames http://www.biggersmarter.com/ht
0
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

 
avidyaCommented:
Hi Kellybelly,

You're having to sites and thus two applications. Session vars are stored for one unique application.
However, you can pass the vars to the other site and make the login kinda "transparent"
It can be done, but posting youre code helps.

Here you can read about sessions.
http://www.w3schools.com/asp/asp_sessions.asp

0
 
cgarveyCommented:
The other server presumably has a different domain name, and cookies can only be accessed by the server that created them.
Session variables still rely on cookies to identify and track the client, though session cookies are treated differently than conventional cookies.

The way around this is either to to make a hidden form field which is populated dynamically with the session contents and make the link a post, then have the page on the new site pick up the form variables and reset them or else you could pass the variables along as part of the link e.g. http://www.mysecurearea.com/loginok.asp?username=bob

HTH

Colm
0
 
kellybellyAuthor Commented:
but I am not trying to get any of the externally hosted frames to access the cookies.  Do the log in using both links posted above and I think you will understand a little better.  I am only trying to access with the code I am hosting.  The difference between the 2 links is that one is in frames hosted elsewhere, and one is not.
0
 
avidyaCommented:
do you have an test account?
0
 
kellybellyAuthor Commented:
the log in info i gave is for the test account.  you can do whatever you want on it.
0
 
avidyaCommented:
Hi kelly,

I'm sorry, but maybe i'm not understabding you coorectly.
I do not wish to register with my email to obtain an account, thats why I asked you for an testaccount. Is this possible?
0
 
Richard DavisSenior Web DeveloperCommented:
Hi Kelly,

I'm going to provide an extention to what avidya had stated already.
As stated, session variables are stored and used on the server that generated them, but a seamless work around would be such that you would "transfer" any session variable data that you are hoping to to use to the second server by use of the post or get method of a form submission. If the session data isn't anything that would violate the security of your users or your site, then the easiest way to achieve this would be to retrieve your current session variables, store them to $_GET[] variables and then simply contruct a call to the respective PHP doc on the second server.
Make sure that the PHP doc on the receiving server first creates an session, then simply parse all your passed data into duplicated $_SESSION[] vars on the receiving server and your good as gold without any loss of data.

If anyone has any better suggestions, I would love to hear them as this seems to be the only way I could think of to acheive this.

Good Luck, Kelly.
0
 
avidyaCommented:
kelly is using asp, not PHP
0
 
Richard DavisSenior Web DeveloperCommented:
ooops...so sorry

*rather embarrassed now*
0
 
kellybellyAuthor Commented:
avidya - the test account is admin@admin.com with a password of admin

adrian - no problem - I should have addressed that before

Here is my log in page:----------------------------------------------------------------
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%
' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("email"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization=""
  MM_redirectLoginSuccess="home.asp"
  MM_redirectLoginFailed="?msg=failed"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_HT_STRING
  MM_rsUser.Source = "SELECT email, pword, ID, Administrator"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM brokers WHERE email='" & MM_valUsername &"' AND pword='" & CStr(Request.Form("password")) & "' and not isNull(accepted)"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
      Session("user") = MM_rsUser("ID")
      if MM_rsUser("administrator") then Session("type") = "admin"
      Session.Timeout = 20
      If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    MM_rsUser.Close
      if request.queryString("dest") = "RFC" then
      response.redirect "http://homeconnect.htmortgage.net"
      else
    Response.Redirect(MM_redirectLoginSuccess)
      end if
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>





<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">
<img src="images/logo.gif" width="373" height="150" align="left" vspace="50">
<h1>HomeConnect Log in:</h1>
<% ' if user log in failed display message
      if request.querystring("msg") = "failed" then
      %>
      
<h3>Log in failed.  If you have recieved an email from Hometown Mortgage stating that you have been accepted as a registered use of HomeConnect please try again. </h3>
<h3><a href="pwordReminder.asp">Click here</a> if you have forgotten your password.</h3>
<h3>If problem persists <a href="contact.asp?msg=help&type=login">click here</a> to email a help request Hometown mortgage.
      </h3>
<%
      end if
      %>

<p><font size="-1"><%= date %></font></p>
<form name="logIn" method="post" action="<%=MM_LoginAction%>">
   
 
<table border="0" cellspacing="0" cellpadding="0">

       
 
<tr>
 
<td>
 
<h4>Email:            
</h4>
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="text" name="email">
            </td>
</tr>
       
 
<tr>
 
<td>
 
<h4>Password:</h4>
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="password" name="password">
            </td>
</tr>
       
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td>
               
 
<input type="submit" name="Submit" value="Log in">
                </td>
</tr>
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td>&nbsp;</td>
</tr>
       
 
<tr>
 
<td>
 
<h4>Options:</h4>
</td>
<td width="10">&nbsp;</td>
<td><a href="register.asp">First time users click here for registration</a></td>
</tr>
 
<tr>
 
<td height="10">
</td>
<td width="10"></td>
<td></td>
</tr>
 
<tr>
 
<td>&nbsp;
</td>
<td width="10">&nbsp;</td>
<td><a href="pwordReminder.asp">Forgot password</a></td>
</tr>
 
<tr>
 
<td>
<input type="hidden" name="dest" value="<%= request.queryString("dest") %>">
</td>
<td width="10">&nbsp;</td>
<td>&nbsp;</td>
</tr>
 
<tr>
 
<td colspan="3"><a href="EL/default.asp">Employment opportunities with Hometown Mortgage</a></td>
</tr>
       
 
   
 
</table>
<p>&nbsp;</p>
</form>
<p>&nbsp;</p>
</body>
</html>



And here is the page after log in:---------------------------------------------------------------------------------------
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" href="style.css" type="text/css">
</head>

<body bgcolor="#FFFFFF" text="#000000">

<h1>Welcome</h1>
<!--#include file="header.asp" -->
<h2><img src="images/forms.gif" width="225" height="60"></h2>
<h2>&nbsp;</h2>
<table cellpadding="0" cellspacing="0" border="0">
<tr>
<td valign="top">
<h4>Broker forms:</h4>
</td>
<td width="10">&nbsp;</td>
<td>
<p><a href="forms/BROKERPACKAGE.pdf" target="_blank" onClick="alert('This will load a PDF form in a new window.  Please allow a minute for it to load.\n\nYou may fill the form on the screen by clicking in boxes and tabbing through to all fillable fields, then print and fax or mail to Hometown')">Broker package</a></p>
<p><a href="forms/rateLock.pdf">Rate Lock Schedule</a></p>
<p><a href="forms/SUBMISSIONFORM.pdf">Preliminary Submission form</a></p>
<p><a href="forms/CONDOMINIUMCHECKLIST.pdf">Condominium Checklist</a></p>
</td>
<td width="200">
<p>&nbsp;</p>
</td>
</tr>
</table>
</body>
</html>

Thanks for your hard work!!
0
 
avidyaCommented:
Hi kelly,

thanks for the test account.
Looks like you generated your code with Dreamweaver, is that correct?
And, if so, do you understand the code?
(this way i can estimate your skill level.

For the first round: Could you alter the "page after login" like this:
<h1>Welcome<%=Session("user")%></h1>

This will display the var stored in the session an we can see if the session var works.

0
 
kellybellyAuthor Commented:
I could write all that code.  I understand it all pretty well.  I will make the change
0
 
kellybellyAuthor Commented:
but you should be getting a redirect to a 'you are not logged in' page if there is not session variables
0
 
avidyaCommented:
Hi, lets set up a working vocabulary:

1) http://17409.myersinternet.com gave me:
  Password protected area
  You are either not logged in or your session has timed out.
  Please click here to log in.
  Click here to register as a new user

2) http://www.biggersmarter.com/ht Logged on fine, as you know ;-)

question
- are all the pages from site 1 on the same server?
The menu page has http://www.hometownmtg.net/menu_files as location and the loginpage has http://209.132.227.16/ht/default.asp as location.
As far as I can tell, is that the login page at site 1 is a link to site 2 (http://209.132.227.16/ht/)
can you tell me if this is correct?



0
 
kellybellyAuthor Commented:
site 1 - menu page (frame) and header page (frame) on a separate server as log in pages.  This is a canned website that I am adding customized pages to.

site 2 - all pages hosted on same server.  This is the customization that I want to load in to the content frame of site 1.   biggersmarter.com is the same as 209.132.227
0
 
avidyaCommented:
Okee, now we're getting somewere.

For session vars to work the need to be on the same webserver and within the same web app.

Can you place the logon pages at http://17409.myersinternet.com ?

0
 
kellybellyAuthor Commented:
no - that is where the canned website is.  The tools that I am developing have to be hosted elsewhere.
0
 
kellybellyAuthor Commented:
I would add more points if I could.  There has got to be a work around or solution to this problem.  

In a nutshell - the session variables are not available when the page is loaded inside frames that are hosted on another server.  Hasn't anyone out there ever made this work before?  I will even open another question and give it another 500 points...

Thanks in advance...
0
 
Ayesha_KCommented:
Hi,

on the SECOND server create another asp page called SetSession.asp having the following code
NOTE: use the file name in the Response.redirect as the one of your login action page ... means the file with the asp code pasted above ... but don't forget to include the querystring variable Validated=Yes
____________________________________

<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%

     Session("user") = Request.QueryString("user")
     Session("type") = Request.QueryString("type")
     Session.Timeout = 20
     Session("MM_UserAuthorization") = Request.QueryString("MM_UserAuthorization")
     Response.redirect("LoginServer1.asp?Validated=Yes")
%>
__________________________________________________

Now change your login action file with the code pasted above as follows

___________________________________________________
<%@LANGUAGE="VBSCRIPT"%>
<!--#include file="Connections/HT.asp" -->
<%
'''' If Validated=Yes means that this page has already set session variables on this page and on the other server
''''' so you just have to redirect the page

if Request.QueryString("Validated") = "Yes" then
     if request.queryString("dest") = "RFC" then
          response.redirect "http://homeconnect.htmortgage.net"
     else
          Response.Redirect(MM_redirectLoginSuccess)
     end if

end if

' *** Validate request to log in to this site.
MM_LoginAction = Request.ServerVariables("URL")
If Request.QueryString<>"" Then MM_LoginAction = MM_LoginAction + "?" + Request.QueryString
MM_valUsername=CStr(Request.Form("email"))
If MM_valUsername <> "" Then
  MM_fldUserAuthorization=""
  MM_redirectLoginSuccess="home.asp"
  MM_redirectLoginFailed="?msg=failed"
  MM_flag="ADODB.Recordset"
  set MM_rsUser = Server.CreateObject(MM_flag)
  MM_rsUser.ActiveConnection = MM_HT_STRING
  MM_rsUser.Source = "SELECT email, pword, ID, Administrator"
  If MM_fldUserAuthorization <> "" Then MM_rsUser.Source = MM_rsUser.Source & "," & MM_fldUserAuthorization
  MM_rsUser.Source = MM_rsUser.Source & " FROM brokers WHERE email='" & MM_valUsername &"' AND pword='" & CStr(Request.Form("password")) & "' and not isNull(accepted)"
  MM_rsUser.CursorType = 0
  MM_rsUser.CursorLocation = 2
  MM_rsUser.LockType = 3
  MM_rsUser.Open
  If Not MM_rsUser.EOF Or Not MM_rsUser.BOF Then
    ' username and password match - this is a valid user
     Session("user") = MM_rsUser("ID")
     if MM_rsUser("administrator") then Session("type") = "admin"
     Session.Timeout = 20
     If (MM_fldUserAuthorization <> "") Then
      Session("MM_UserAuthorization") = CStr(MM_rsUser.Fields.Item(MM_fldUserAuthorization).Value)
    Else
      Session("MM_UserAuthorization") = ""
    End If
    if CStr(Request.QueryString("accessdenied")) <> "" And false Then
      MM_redirectLoginSuccess = Request.QueryString("accessdenied")
    End If
    ''''''''''''''' Add the complete path of SetSession.asp here including the path to server2
    Response.redirect("SetSession.asp?user=" & Session("user") & "type=" & Session("type") & "MM_UserAuthorization=" & Session("MM_UserAuthorization"))
    ''''''''''''''' Code change end
    MM_rsUser.Close
  End If
  MM_rsUser.Close
  Response.Redirect(MM_redirectLoginFailed)
End If
%>
____________________________________________________
0
 
avidyaCommented:
Hi Kelly,

It's not al about hte points ;-)
(btw, they are more then enough)

Ayesha 's code is showing you how to transfer the vars.
This should work. Not able to test it, blew up my computer.

If it doesn't work, we will think of something else to get it going.
Like this:
I'm not a native english speaker, so I don't know what a "canned' site is, but i'm guessing it means that you cannot alter the site.
Maybe this is an option then, why not move the entrire content of site one to site two?
In site one there will be one page which redirects (http://17409.myersinternet.com) to the second site. This can be done without anybody noticing.

You ran in some trouble now, because of the double hosting, youre bound to get annoid by that later on.
Also you will have one place where the website is maintained.



0
 
kellybellyAuthor Commented:
ayesha - basically what you are saying then is put the same session variables on both sites?  I don't know if I can do this - not sure if the other site will let me use ASP.  I don't have a lot of access on the other server.  I know I can upload html and images
0
 
kellybellyAuthor Commented:
what about using cookies instead of session variables?
0
 
Ayesha_KCommented:
cookies all also application specific ... i'm not sure but i don't think any application can set or read cookies written by some other application ... like kind of machine specific from where those were written ... not sure though

i used the technique of creating same session variables twice on different occasions ... 1 was when i had to use asp and aspx both at the same time in an application ... and these two don't share the session variables ... and i did it recently with ASP.NET also when had to join two applications ... and machine keys were not working ...

i'll suggest you to upload the asp file on the other server and try to run it ... u'll find out that u can do that or not
0
 
kellybellyAuthor Commented:
thanks - I will get back to you...
0
 
avidyaCommented:
Hi Kelly,

If you can't upload the asp pages on site one then try the rediecrt option.
This way you will have all your contant on one sever and the clients don't have to know that the are redirected to the sevrer you have full control on.
0
 
kellybellyAuthor Commented:
Avidya - at the risk of sounding difficult - I can't do the redirect.  If you look on the navigation there is an 'about us' link, a 'loan process' link, and an 'FAQs' link.  The content on these is maintained by the client through tools that are linked to server #1 (the canned site.)

Ayesha - here is what I don't get.  Why do I need to establish the session variables or cookies on server #1 when server #1 never looks at them?  It's only the stuff from server#2 that loads in the content window that needs the variables.

Thanks again you guys.  Please stay with me, I know we are going to get this...
0
 
avidyaCommented:
Hi Kelly,

Thanks for explaining, leaving the redirect alone now.
About youre session variables or cookies on server #1- question.
Since you are on server this is where the vars wil be set. On s2 set the vars over there too, otherwise the session times out.
For setting the vars at S2 you need to transfer them from s1 to s2.
you can do this by reading the session vars from s1 and pas them to S2 and store them in a session var



0
 
kellybellyAuthor Commented:
I didn't understand what you are saying very well - I'm sorry.  I know you said before that you are not a native English speaker so I really appreciate your work on this.  But could you explain it a different way maybe

Just to clarify, there is nothing happening on server #1 except the link to the login page.  All of the setting and retrieving of session variables and/or cookies will be done on server #2, which loads in a content window with frames from server #1 surrounding it.
0
 
Ayesha_KCommented:
Hi Kelly,

the frames you are using from server # 1 require any kind of authentication or if else depending upon the user logged in right ??? so that means u DO need the session variables on server # 1 also ... if this is not the case .... then i'll have to go through all of the topics again and read carefully this time :)

sorry for taking too much time...

Regards
0
 
kellybellyAuthor Commented:
no - no authentication at all.  The header frame is just graphics.  The left frames is strictly links with absolute addresses in them.  Those are the 2 that are hosted on server 1.  Don't worry about how much time you are taking - thanks for sticking with me!
0
 
kellybellyAuthor Commented:
OK guys - I got this working BUT

I still have a slight problem.  I can navigate if I click links within the main content frame.  But I still cannot click on a members only link in the menu frame (on the left) and get to the page I need.  Even if I am logged in and I know that cookies are there the site does not see them when I am navigating from that left frame.  Remember, the left (navigation buttons) is hosted on server #1 and the content for memners only is hosted on server #2.

Can you throw me one more bone?  BTW - I am already specifying a domain for the cookies.
0
 
avidyaCommented:
Hi Kelly,

Just logon to the member aprt and all the links where working fine?
I got all the pages with clicking all the buttons serveral times, so I switch from #1 to #2 and back an it still is workeing.
 guess you fixed it somehow?
0
 
kellybellyAuthor Commented:
OMG!!!!  I have no idea why that works now.  I have XP at home and 2000 here - could that be the difference?
0
 
avidyaCommented:
Hi again,

don't think so.
I've alse xp (pro) , w98, and w2000, they all work fine.

Could be a client site thing do, cleaning your IE cache will help and try ctrl-F5 for reloading the site.
This will bypass your client cache and you will be getting a "fresh" page.

Also in IE, my settings for temp files is "refresh every visit to the page"
This helps to.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.