[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1796
  • Last Modified:

URGENT: Changing SessionID or cookieless sessions

Hi all
I am currently using ABCpdf to generate PDF reports from a html/asp pages that i have set up, but my problem is that ABCpdf starts a new session when it generates the PDF and thus i can access any session variables which should exist. When i found this to be a problem i had a look on there website and found this; "ABCpdf lives on the server and so it exists in a different session."

Thus i was wondering, how I would go about telling the page that ABCpdf uses to generate the report to change its sessionID so that it can pick up and use the original session state.

One idea that i had, was to pass the current sessionID (the one that has got all the users sessions set) to the report page (which when ABCpdf runs starts a new session) by querystring and then change that report pages sessionID to that of value being passed through. But,, it looks like the sessionID is read only and I can't change it. Now this might be a good thing (from a security point of view), but need to access the session variables.

Thanks in advance
ant
0
CVSmarc
Asked:
CVSmarc
  • 4
  • 2
  • 2
  • +1
2 Solutions
 
GawaiCommented:
do u  want to change the sessionID each time u generate the report ?
0
 
CVSmarcAuthor Commented:
Well currently, each time the report is run a different sessionID is used to that, that the user is currently using. So i suppose that if i can change the sessionID of the report page and from then on the when ever the report is generated it now acknowledges that the sessionID is that of the main users session state, then no i would only need to change it once per login. But if the report system refuses to maintain the sessionID once initially overridden then i would need to change/update it to that of the main sessionID each time the report is run.
ant
0
 
GawaiCommented:
u can change the sessionID this way:

<%

strSID = Session.SessionID


response.write("<p>")
response.write("HIT Refresh to change this Session id : " & strSID)
response.write("</p>")
Session.abandon
%>

'Session.abandon is use to kill current session
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
chisholmdCommented:
I use this object and you will probably have to end up passing the values you need to the generation page as querystrings.

Rather then passing the sessionID, pass the actual values your storing in the session. Then on the dynamic page you want rendered as PDF add a check for these variables.

So lets say you have a memberID stored in your session.

then in your PDF URL method .../mypage.asp?memberid="& session("memberid")

On the page being rendered as PDF
if len(session("memberID")) > 0 then
   vMemberID = session("memberID")
else
   if len(request.querystring("memberid")) > 0 then
      vMemberID = request.querystring("memberid")
  end if
end if

Then in the rest of the page use this new local variable vMemberID


Um...I hope that makes sense.

0
 
CVSmarcAuthor Commented:
gawai: Its not just a matter of changing the sessionID to any old number, if i can change the sessionID it needs to be that of the sessionID that the user is currently using.

chisholmd: the only problem i have with this is that 1) i have more than just the user id that needs to be passed through 3) from a security point of view people would be able to just keep trying memberid numbers in the querystring until they got the next member number and they wouldn't be called to re-authenticate 3) there is the potential for a greater number of characters that needed to be passed through to the page than the querystring will allow.

Now, i realise that passing the sessionID though by querystring means that someone could try changing the value and picking up on someone else’s session but the chances of that happening and finding a currently running session are fairly slim... i would have thought.

So i think we need to find another way... If there is no way that i can change the session ID is there another way of storing the variables and passing a reference through the to the report page telling it which variables to pick up... whist still keeping the system secure.

Also if it helps this is the rest of what ABCpdf say about state management;
"ABCpdf lives on the server and so it exists in a different session. So you cannot generally rely on cookies, session state or form submission in your page. The page must be reliant only on the URL you supply. If you have to rely on session state you could use cookieless sessions (which will give you a URL for your session) or you could save the session information under a specific unique ID then pass the ID via the URL and pick up the information via your server-side code. If you are using Authentication you should provide a logon name and password in the ABCpdf HTML Options."

So taking this into account how would you suggest i go about setting up either "cookieless sessions" for this section of the site OR going about there second suggestion.

Thanks again
ant
0
 
chisholmdCommented:
I understand, in one app I had allot of values so I passed them as one pipe delimited string in one querystring to reduce URL chars.

e.g.
?myvars=1|99|abdcf| etc. Then split these back into their original values

aMyVars = split request(myvars,"|")
memberID = aMyVars(0)
etc

In another app I just stoped using session variables altogether. It proved easy and very succesful.  What I did was on create a table in SQL called sessions and created a guid for each session.  e.g. newID()

Then created a couple of functions for setting and retreiving values.  The first site it did this on was a conversion job and it only took 8 hours which was much less then I thought.

I know none of this answers your question about how to reference another session or get its ID etc. But that is because I beleive it is immposible so your just burning time.

I think that creating some sort of encrypted or obfusicaited querystring will end up being the simpilist solution for you.  

Of course...you could always write the session values to a disk object and then pass the sessionID in the querystring.  Well thats not much different then storing them in the db so...








0
 
CVSmarcAuthor Commented:
Hi all sorry for the late reply.
Just thought that i would let you know how i got on. In the end i decided to make a grade a copy of the HTML i wanted to put into the report and save it to a HTML. By doing this all the users session variables are still active and current. Then i tell the PDF generator to look at the temporary HTML file that i have just created. Thus the PDF generator is just looking at a static HTML page. Now i know that i have the overhead of having to create a HTML file as well now, but i don’t particularly mind this as i can now give the user the option of there report in HTML format. Also from a security point of view, i have to create the PDF and store it on the server the same way i am now creating the HTML file. Thus, the same security procedures that cover the PDF until the user who generated it downloads it is covering the HTML file as well.
Thanks again
ant
0
 
ltarkCommented:
Why not save al variables in the Application object?
You could save all the values in a dictionary object in the application objetc, named with the session id of the current user and pass this session ID to the  ABCpdf page in the querystring.

Luis
0
 
CVSmarcAuthor Commented:
Hi guys
Sorry about the delay. Just letting you know that in the end i while the users sessions were still accessible i outputted the content of the page that i wanted to make a copy of to a newly created html document on the server. Thus the content is now static, plain html and does not rely on any server side code or sessions. I then pointed ABCpdf to that html document and got it to turn it into a pdf. Now this has the added advantage of allowing users to download a HTML copy if they want and has the same security risks when it comes to people accessing the data as storing the newly created pdf on the server for the user to download.
Thanks again for the help.
ant
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now