...

View Full Version : Where'd my session go?



Spudhead
01-21-2003, 10:27 AM
Hi,

Got a login page. Does the usual stuff; checks username/pass against the database, sets some session variables and redirects on to the 'forum' section main page.

In login_do.asp, the last bit of code executed looks like:

Session("myUserID")=parseInt(rs.Fields("id").value);
strRedir="forum.asp?uid=";
strRedir+=Session("myUserID");
Response.Redirect(strRedir);

The user ID is always sent correctly in the querystring - the user is redirected to a page like "forum.asp?uid=6". Or something. So the login page is definitely setting the Session variable, and using it correctly.

In forum.asp, the first bit of code executed looks like:

var userID="";
if(parseInt(Session("myUserID"))){
userID=parseInt(Session("myUserID"));
}

And it always fails to set "userID" to the session variable. Indeed, I've tried taking that bit out and just getting forum.asp to write:
<%=String(Session("myUserID"))%>

and it always writes "undefined".

So, where's my session gone? How can I find out? Any help muchos appreciatos.

head8k
01-21-2003, 12:45 PM
First step is to confirm your session variable is being set on login_do.asp. Comment out the response.redirect line and replace it with:

response.write Session("myUserID")

if it really is being set correctly and the forum page is on the same server (mandatory for the session to be maintained!) then the problem is on the forum.asp page.

First thing to check is if you are including any files which might unwittingly be setting it to null.

Next, I would change your if statement.

if(parseInt(Session("myUserID")))

isn't the best way you could be checking it. How about if the session exists AND parseInt value of the variable is greater than zero then...

Hope this helps

Spudhead
01-21-2003, 01:20 PM
Yeah, but...

I know login_do.asp is setting the session var correctly. It's writing it in that redirect bit, as part of the querystring. If it wasn't being set correctly, it'd redirect to "forum.asp?uid=undefined", or something. But it always puts the correct (integer) user ID in there.

The files are definitely on the same directory of the same server etc.

There is an include file (for a DB connection), but it doesn't mention any of the variables I'm using, or anything Session-based.

And yeah, the if() statement I've got isn't the best, but I've tried changing it so the forum.asp simply does:

<%
Response.Write(String(Session("myUserID")));
Response.End;
%>

and it comes up "undefined"

Something is killing the session. But I don't know what.

Roelf
01-21-2003, 01:39 PM
did you (by accident) disabled session state for the website in IIS ?

head8k
01-21-2003, 01:44 PM
Add

<%@ EnableSessionState=True %>

to the top of pages to see if that makes a difference.

Does the browser you are testing with have cookie support disabled? Sessions are treated in the same way as cookies. Might be worth reading this:

http://www.4guysfromrolla.com/webtech/092098-2.shtml

Spudhead
01-21-2003, 04:08 PM
Oh, nuts.

I've just realised what's causing this, and I've no idea what to do about it. This might take some explaining.

I have one domain name - "mydomain.net" (not really but who's looking?). This domain has a number of sub-domains.

My client has a number of domain names registered; let's say "domain1.com" and "domain2.com". Their DNS has been updated to point at my hosting company's nameservers.

My hosting is arranged thus: I have a number of directories; one - called, unsurprisingly, "mydomain.net" - is the root "www" directory for my domain. Others are for subdomains; I've got a directory called "client1.mydomain.net", for example. This is where my client's website files actually live.

There are also a number of directories relating directly to my client's domain names. I have a directory, for example, called "domain1.com". In each of these there are a couple of simple html frameset pages that do the trick of loading the correct website (in this case, http://client1.mydomain.net) into the browser, while leaving the correct domain name (ie: "www.domain1.com") in the browser address bar.

I hope you followed all of that because it just confused the hell out of me.

So; here's the deal. If I go to "http://client1.mydomain.net" - if I type that into the browser - then Sessions work. If, however, I type any of my client's domain names - all of which go, via DNS and the ever-so-simple procedure outlined above, to http://client1.mydomain.net - then Sessions don't work. It thinks it's crossing a domain - which I guess it is.


Can anyone explain to me either (a) what I'm talking about, or (b) how to fix this increasingly urgent problem asap?

aCcodeMonkey
01-21-2003, 09:16 PM
Question(s),

1. Are the two "websites" defined in IIS as two separate virtual servers?
Or, did you define multiple identities for the one website?

2. Are these Intranet or Internet hosted websites?

3. Are you creating the session() object in the global.asa or on the fly in the logon script?

If each domain is accessing a separate virtual server, then each web is creating it's own session. This is part of IIS's cross domain security to prevent hackers from spoofing the server.

If the sites are in an Intranet environment, using NTFS security would resolve the issue.

There are a few 3rd party session managers aSMS for example.

Here is a good high end article on designing website archetectures and
A Blueprint for Building Web Sites Using the Microsoft Windows Platform (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndna/html/dnablueprint.asp)

Spudhead
01-22-2003, 09:55 AM
Thanks; all went a bit over my head but there may be a light at the end of the tunnel at least.

To answer:

1. I don't know. My hosting company might, I'm hoping they're going to answer my emails soon.

2. Internet-hosted.

3. Well, I don't have a global.asa (I know, I know) and I don't explicitly create a session object (didn't think I needed to), so I guess the answer is "on the fly".

As far as I understand, what's causing this is that frameset thing that loads "client1.mydomain.net" into a browser that says it's at "domain1.com". Or similar. If replace the frameset pages with a simple redirect, it'll work but the browser will say it's at "client1.mydomain.net" - at which my client, being a fairly typical client, will have puppies.

Ugh. I've no idea what to do about this.

Good article, btw. Thanks.

raf
01-22-2003, 12:05 PM
Spudhead,

Important note about frames and session.
If you have a framepage with .html or .htm extension, then the page wounít be parsed by the webserver. If this frameset contains 5 asp pages, then all of these five pages will be treated seperatly (since they are all different requests) and they will be parsed and the webserver which will create 5 sessions. When the frame with the login-page in, is not the same as the frame that is used for the display the page, another session object will be read.

Siplest fix: stay in the same frame, or change the extension of the first page (containing frameset) to .asp (This way the webserver creates a session when the framepage is parsed, and checks every incoming request to see if a session exists) (Found it in a book on debugging asp, so it could be true :-)

Roelf
01-22-2003, 12:47 PM
Originally posted by raf
Spudhead,

Important note about frames and session.
If you have a framepage with .html or .htm extension, then the page wounít be parsed by the webserver. If this frameset contains 5 asp pages, then all of these five pages will be treated seperatly (since they are all different requests) and they will be parsed and the webserver which will create 5 sessions. When the frame with the login-page in, is not the same as the frame that is used for the display the page, another session object will be read.

Siplest fix: stay in the same frame, or change the extension of the first page (containing frameset) to .asp (This way the webserver creates a session when the framepage is parsed, and checks every incoming request to see if a session exists) (Found it in a book on debugging asp, so it could be true :-)
Perhaps this is IIS-version dependent, just did a quick test, all the asp files in a frameset with a html definition display the same session id so they all use the same session. I did this test with IIS 5.0 so it should work there

Roelf
01-22-2003, 01:14 PM
The server creates more then one session, if the files are in different virtual directories within IIS. Maybe that is the cause of the problem

raf
01-22-2003, 01:15 PM
Roelf,
Donít know about version dependency (donít have book at hand).
+ the problem only exists if the first page that the client requests is html page with a frameset. (once the session is created, the webserver maintains one session for each browser-server connection)

This
login.asp --> frame.htm with page1.asp Ė page2.asp --> page3.asp
Where you have a link to page3 wit target=í_parentí wount cause any problem.

If the user would start from frame.htm, there could be a problem

Spudhead,
Its easy to check if this is the problem.
Enter following code on each page and compare them (suppose roelf did the same). It should stay the same throughout a complete session. If the different frames display different numbers, then itís probably the frameuse that causes the problem.


Response.write(ďsession = ď & session.sessionID)

Roelf
01-22-2003, 01:16 PM
Originally posted by raf
suppose roelf did the same

Yep :D

Spudhead
01-22-2003, 02:18 PM
I... think.... umm. I think I know what you're talking about :)

I DO have multiple .asp pages within a .htm frameset page, but I don't think that's the problem. (I hope that's not going to BE a problem...)

I think the problem is one that would be fixed in the following way:

"I'll move your domains onto the new server whereby I can setup proper domain aliases which are in the host headers. Therefore the user will go to the site not in a frameset and will also not see the sub-domain URL."

- so says tech bloke at hosting company.


God, I wish I knew something about the basics of internet mechanics :rolleyes: :)

Roelf
01-22-2003, 02:32 PM
In the first post, you explain that you pass the userID in the url, that works.

Then you store it in a session. You try to retrieve it from the session object in another page, it fails.

Who cares, get it from the url and you've got it, or is that too simple

raf
01-22-2003, 02:40 PM
Roelf,

i suppose he uses the session-variable to check if the client logged in correctly (by comparing session and querystring variable)
otherwise i could walk straigt into the forum by typing in the url and picking a number.
think that would be a great security risk.

about your previous question:
Thats quite obvious. An asp-application is defined as all files under the virtual directory or its subfiles, and a session-object is created when the first request (page) of the application is send tot the webserver.

But I donít know if thatís the current problem (I donít realy get a good picture of the situation) + its not necessarily a problem (if the login page is placed in or under the same virtual folder as the page heís redirecting to and he stays in the same frame or the framepage has an asp extension). It would be a problem if you have something like this

\main virtual folder for application mai
\main\app1 virtual folder for app1
\main\app2 virtual folder for app1

start.asp is placed in \main and contains frameset with login_app1.asp and login_app2.asp in frames.
When user request start.asp, 3 sessions will be created

If login_app1 is placed in \main\app1, there is no problem.

Spudhead
01-22-2003, 02:50 PM
Well, yeah, I could. That was one option - it has two drawbacks:

- passing stuff like userID's in the querystring isn't that secure. I'd prefer to store stuff like that back out of the way where it's not so easy to get at. I know it's not that easy to exploit, but it's still possible.

- there are a lot of pages that need to know who the current user is. (I was only passing it via url in that instance to get some debug info) Redoing every one of them, and the various links to them, to pass and retrieve what can, and should, be stored much more efficiently in a session variable, seemed like a bit of a silly idea.


*beaten to it by ref :) Cheers guys...



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum