Solved

Classic ASP redirect code seems to cause logout in Server 2012

Posted on 2015-02-11
21
252 Views
Last Modified: 2015-02-25
HI,

I had to migrate a down web server to new hardware and subsequently have had to use slightly newer version of IIS, MS SQL Server etc.

I'm so close...

Earlier I mistakenly believed that all pages that INSERT or UPDATE were causing the application to boot me out to the login page. Instead I've now isolated two related (?) pieces of code that I can remove or alter to finally get different results than I've been getting!

On one page of the application, after the page load, all I had to do was refresh the page, and I would get booted out with my session expired. But when I removed this authentication/redirect code,

<%
' *** Restrict Access To Page: Grant or deny access to this page
MM_authorizedUsers=""
MM_authFailedURL="job_master_test.asp"
MM_grantAccess=false
If Session("MM_Username") <> "" Then
  If (true Or CStr(Session("MM_UserAuthorization"))="") Or _
         (InStr(1,MM_authorizedUsers,Session("MM_UserAuthorization"))>=1) Then
    MM_grantAccess = true
  End If
End If
If Not MM_grantAccess Then
  MM_qsChar = "?"
  If (InStr(1,MM_authFailedURL,"?") >= 1) Then MM_qsChar = "&"
  MM_referrer = Request.ServerVariables("URL")
  if (Len(Request.QueryString()) > 0) Then MM_referrer = MM_referrer & "?" & Request.QueryString()
  MM_authFailedURL = MM_authFailedURL & MM_qsChar & "accessdenied=" & Server.URLEncode(MM_referrer)
  Response.Redirect(MM_authFailedURL)
End If
%>

Open in new window


...I could then refresh as much as I wanted. However if I changed any form fields and submitted an UPDATE request, it would boot me out AFTER saving my changes. I think it was booting me out during these lines of code:

 Dim MM_editRedirectUrl
	if request("from") <> "" then
    	MM_editRedirectUrl = request("from")& ".asp"
	else	
		MM_editRedirectUrl = "estimate_manager_completed.asp"
	end if
    If (Request.QueryString <> "") Then
      If (InStr(1, MM_editRedirectUrl, "?", vbTextCompare) = 0) Then
        MM_editRedirectUrl = MM_editRedirectUrl & "?" & Request.QueryString
      Else
        MM_editRedirectUrl = MM_editRedirectUrl & "&" & Request.QueryString
      End If
    End If
    Response.Redirect(MM_editRedirectUrl)
  End If

Open in new window


The common theme is redirect and specifically we've been successfully manipulating the URL redirect strings to use them for "smarter" redirect.

For example, we tell a page from where the user came, so that when they UPDATE the record, we redirect them to the page they were on. In the authentication failure redirect, we are building a string we append that tells our login page from where the user came. Same idea.

This is just my current hunch, but the bottom line is, I can INSERT and UPDATE records with impunity, if I don't check for one of those "from" strings in the arrival URL on the page. I can refresh the page with impunity, if I remove the authentication check that includes that string-building add-on.

Just as a reminder - this all worked great on our old server, but I'm wondering if a previous developer may have added some library or configuration change that would handle things like URLEncoded values being passed as part of a redirect.

Any of this sound like I'm close? Any new suggestions?

Thanks

Bill
0
Comment
Question by:billium99
  • 9
  • 9
21 Comments
 
LVL 32

Expert Comment

by:Big Monty
ID: 40606821
the first thing I would do is verify you're not losing the session, so comment out the first block of code and add this right above/below it:

Response.Write "Session('MM_Username') = " & Session("MM_Username")

Open in new window


log onto the page, note what appears, and then hit refresh, and then post here the results for both page loads
0
 
LVL 1

Author Comment

by:billium99
ID: 40606987
OK I am indeed losing the session...

first time load showed the Username value. Refresh and then it didn't.

However I then went to one of my other edit pages that is working to UPDATE records without kicking the user. That page maintains the session, as I would have expected.

So it's still the code on these particular problem pages, somehow killing that session. I didn't see obvious elements that the "bad" pages have that the "good" don't have, but I guess I need to look deeper at the differences in these pages. Or what database tables are touched, I suppose.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40607094
do you have any code anywhere that kills the sessions, or clears any individual session variables? if you don't, then you have a configuration issue, and not a code issue.
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40607885
yes it's a dupe. I jumped into this one only because the OP was really stuck for help.

since this one is "fresher", I would prefer to just delete the other one, or leave it open until this one gets resolved so we can reference it if needed
0
 
LVL 1

Author Comment

by:billium99
ID: 40608114
Well its just my luck that I'm able to identify false patterns because of these particular symptoms. I thought I'd already done a session state check, because MM_UserName is one of26 session variables we carry around the application. I was testing that the session was intact using Session('UserFirstName') as the variable I was checking.

So now I've added all the session variables, and sure enough MM_UserName and MM_UserAuthorization are the only two that we lose! And again, on most pages of the application we do not lose them.

So that makes me lean toward code on the page, although again, this application worked for nearly 3 years problem free on different hardware. So that makes me lean back toward configuration.

But what sort of configuration setting would lead to such a specific loss of these session variables?

Thanks for your time

Bill
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40608174
hmm, ya that's a weird situation...

in the pages you do lose them, you don't lose any of the other 24 session variables?

the pages you lose them in, are those pages accessing the database, as opposed to the pages you do not lose them in are NOT accessing the database?

it almost sounds like your app pool is being recycled prematurely. that may be worth a google search and seeing if anything comes up related to whats happening to you.
0
 
LVL 1

Author Comment

by:billium99
ID: 40608221
I'll search, but actually it does appear to be limited to a few pages, and I have many pages (albeit much simpler record INSERT/UPDATE pages) that are keeping all 26 session variables and allowing database read/write. And thos pages include the authentication check that I've stripped from this current testing page where I added the session variables as you instructed.

I suppose it could somehow be related to WHICH tables I'm reading/writing on different pages, but I really hope that's not the case...and again - I would think any kind of MS SQL glitch would not necessarily disrupt established session variables, eh? Or it wouldn't trash some of them, but not all of them, would it?
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40608241
no it wouldn't be table specific, it COULD be related to database operations, might be a driver incompatibility issue, could be a whole slew of things. it's weird it's only certain variables though...

as a test / hack, if you rename those variables that are dropping (maybe append a 1 to the end of them), does the same thing happen?
0
 
LVL 1

Author Comment

by:billium99
ID: 40609117
Sorry got pulled away from this discussion. Will try and test this evening. Just to clarify, do you mean rename the session variables at the point of creation and then rename all instances of code calling for those variables? Or just create two new variables for a total of 28?

I assume if I only rename the variables, I will get page load errors during authentication on most site pages.

Bill
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 32

Expert Comment

by:Big Monty
ID: 40609153
just rename the session variables on your test page
0
 
LVL 1

Author Comment

by:billium99
ID: 40609837
The session variable is created on the login page.

If I rename it there, I can't get beyond the login page in the app. I finagled things to go to my test page after login, where the session isn't being checked. The renamed session remains intact on refresh of the test page.

I suppose it goes without saying, but I am also writing sessionID and I can confirm the session ID remains intact on refresh, when the two variables are lost.

Bill
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40612270
on the pages that do lose those 2 session vars, if you write out the session ID, does that get lost as well? if not, that leads me to think it may indeed be code related...
0
 
LVL 1

Author Comment

by:billium99
ID: 40613296
It does not lose the session ID.

But...this is code that worked perfectly in another environment for several years,

That's not an objection, but perhaps an important clue.

So I agree it seems to be related to something that code unique to certain pages is doing, but it will be some code that has compatibility problems only with IIS 8.5 and used to work.

And/or some code on the page is requiring a configuration setting that I have wrong.

We are stripping pieces of code on those pages - divide and conquer...
0
 
LVL 1

Author Comment

by:billium99
ID: 40614379
We have hacked a solution, based on the fact that we can have a "backup" of these session variables, and just use those to re-establish the missing variables.

But talk about a workaround! We still don't know why!

Bill
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40614532
well that's good, I'm glad you have a solution in place, as I'm running out of ideas :)

very odd situation indeed!

please be sure to let the Mod know this question is all set (if you feel that way of course) so that we can get the two questions closed out properly.
0
 
LVL 1

Author Comment

by:billium99
ID: 40615467
Thanks - how do I do that? Request attention? Close out without points? That seems a shame that effort cant be rewarded...
0
 
LVL 32

Expert Comment

by:Big Monty
ID: 40615586
Do a Request Attention and see how the Mod wants to close it out. While I appreciate the consideration for points, that's not why I do this. I get my satisfaction knowing I was able to help someone out with their problem :)
0
 
LVL 52

Accepted Solution

by:
Scott Fell,  EE MVE earned 500 total points
ID: 40618941
If the issue is the number of session variables, maybe check the limits.  I think there is something about 25.

If all the variables are for the user, I would stick them all in one session variable or at least in groups.

user_name = "abc123"
user_level = "admin"
user_firstname = "tom"
user_email = "me@mydomain.com"
var4 = "xyz"
var5= "bqu"
var6 = "tyx"

session("super_variable") = user_name &"|"& user_level  &"|"& user_firstname  &"|"& user_email  &"|"& var4  &"|"& var5  &"|"& var6

Open in new window


At the top of each page
arraySuperVariable = split(session("super_variable"),"|")

user_name = arraySuperVariable(0)
user_level = arraySuperVariable(1)
user_firstname = arraySuperVariable(2)
user_email = arraySuperVariable(3)
var4 = arraySuperVariable(4)
var5= arraySuperVariable(5)
var6 = arraySuperVariable(6)

Open in new window

Now you only have one session variable instead of 26.  If you have 100 users, that's 2600 in memory right? vs 100

Another option is to create an encrypted cookie where you sha/md5 that super variable salted with a timestamp and whatever else you want.  Throw that to a cookie and store the above info in your db using the sha/md5 superviarable as your key and do a db look up on each page. In the db table, add a datetime field as to when you want to end the session.  If after that time on page load, log them out.

I do find that too many session variables causes issues. I learned that a long time ago after creating a cart with session variables instead of the way I described above.

https://technet.microsoft.com/en-us/library/cc730855%28v=ws.10%29.aspx
http://www.iis.net/configreference/system.webserver/asp/limits?showTreeNavigation=true
http://classicasp.aspfaq.com/general/why-won-t-my-session-variables-stick.html
http://blogs.msdn.com/b/david.wang/archive/2006/03/14/thoughts-on-application-pools-running-out-of-threads.aspx
0
 
LVL 1

Author Closing Comment

by:billium99
ID: 40630750
Thanks Scott - we actually are just using two extra "back-up" variables:

IF primary variables are missing, check backup variables. If those are also missing, log out the user.

This restores 100% functionality, however I suspect that you solution would have also changed what was happening and probably also given us 100% functionality, so I'm picking this as a solution.

Thanks for all the help, guys

Bill
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Suggested Solutions

When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
Resolve DNS query failed errors for Exchange
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now