Application Security Testing: An Integral Part of DevOps
by Sidney Forcier
Despite all of Microsoft's best efforts to make ASP and ASP.NET coexist effortlessly, one area remains a stumbling block... session state. Fortunately the advantages of ASP.NET's upgraded session state management far outweigh the inconvenience of not being able to pass "Classic" session information to .NET. Unfortunately there is no simple solution; the most I can offer is an easy to implement workaround.
The second option is probably closer to an actual solution than to a workaround. Billy Yuen at Microsoft has developed an effective solution. The code is elegant, the integration appears to be seamless, but I couldn't get it to work on my system (remember I said that there was no simple solution, not that there was no solution at all). If this solution works for you, great! You won't need my code and you'll be happily passing session information from "Classic" to .NET like it's going out of vogue, thanks for stopping by.
Ok, if you're still reading let me briefly describe the workaround I've created. It requires a database, but it is not important which type of database (though the code is written for SQL Server). When a page (source page) wants to redirect to another page (destination page) that uses a different version of ASP, it calls an intermediate page. The source intermediate page takes each session variable and adds it to the database along with a Globally Unique ID (GUID). Since "Classic" and .NET use different SessionID formats it is not possible to use SessionID, hence the use of a GUID. The source intermediate page then passes the GUID to the destination intermediate page through a Querystring variable. The destination intermediate page retrieves the session information from the database, cleans up after itself, and then redirects to the destination page. It's similar to the first workaround, but supports transferring state in both directions.
- Run the SQL Query in "ASPSessionState.sql" on the database which will hold the temporary Session information.
- Copy the .asp and .aspx.* (SessionTransfer.aspx and SessionTransfer.aspx.cs) files to a folder on your website.
- Update connection object information in the "SessionTransfer.asp" and "SessionTransfer.aspx.cs" files. It is located in three places in each file (sorry about not consolidating the connection info).
- Compile the aspx files.
- The .asp and .aspx.* files must all reside in the same folder to work.
For use in a Hyperlink (Anchor Tag) or a Response.Redirect, set the destination URL to be one of the following:
From a ASP "Classic" page:
From an ASP.NET page:
The code will transfer the Session information and Redirect the user to the url specified by <asp_dotnet_url> or <asp_classic_url>.
You can download the code from here: session_transfer.zip (4.6 KB).