Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Help - Can I reuse existing session ID from email link?

Reply
Thread Tools

Help - Can I reuse existing session ID from email link?

 
 
Nanker
Guest
Posts: n/a
 
      09-26-2006
Our existing ASP.NET web application does store a session ID in the
cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
been stated that we need to be able to send a customer an email with a
link to a specific page in the application, and if the user clicks on
the email link while they are logged in to the application, they will
be taken to that page in the application without having to log in.
Given this:

- Is this possible to read the session ID from the cookie for the
active login and reuse it for this other request?
- Is it possible to do this within the specific browser with which they
are already logged in or will a separate browser have to be created?

I've been trying to read up on the best overall approach to this
problem, and I thought that asking here would provide good feedback.
Your response is appreciated.

Thanks in advance

 
Reply With Quote
 
 
 
 
sloan
Guest
Posts: n/a
 
      09-26-2006

I don't think you can do that.
Or at best, its more drama then its worth.


My approach would be:

generate a guid (System.Guid.NewGuid().ToString() )

Keep a table that maps this guid to a user.

Have a special page that handles these guid inputs.

www.myapp.com/EntryPoint/GuidTaker.aspx

When sending them a URL, do this
http://www.myapp.com/EntryPoint/Guid...eeeaaabbbcccdd
deee

Read the database, find the user, set their credentails, redirect them.

You might even have:
http://www.myapp.com/EntryPoint/Guid...=aaabbbcccddde
eeaaabbbcccdddeee

Where you have a few pages (like "aboutus" and it takes you to
"aboutus.aspx" or something like that).

Between the crossbrowser issue. And the fact that SessionID (I think) are
abandoned.....I don't think your approach is a good one.


You can add some logic to GuidTaker.aspx to track subsequent tries, if
they're trying an attack.

If security is an issue, then you can use 2 guids.
http://www.myapp.com/EntryPoint/Guid...eeeaaabbbcccdd
deee&checkuuid=eeefffeeeaaadddeeeecccdddeeebbbaaa& page=aboutus

The liklihood of guessing 2 guid's has to be out the roof.

You'll have to cleanup the table where you store the guid's and the userid
once in a while.

But this way, you can give the same user different entry points




"Nanker" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Our existing ASP.NET web application does store a session ID in the
> cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
> been stated that we need to be able to send a customer an email with a
> link to a specific page in the application, and if the user clicks on
> the email link while they are logged in to the application, they will
> be taken to that page in the application without having to log in.
> Given this:
>
> - Is this possible to read the session ID from the cookie for the
> active login and reuse it for this other request?
> - Is it possible to do this within the specific browser with which they
> are already logged in or will a separate browser have to be created?
>
> I've been trying to read up on the best overall approach to this
> problem, and I thought that asking here would provide good feedback.
> Your response is appreciated.
>
> Thanks in advance
>



 
Reply With Quote
 
 
 
 
=?ISO-8859-1?Q?G=F6ran_Andersson?=
Guest
Posts: n/a
 
      09-27-2006
You can read the value of the cookie and use it, for an example to
compare it to a value previously saved in the database. You can not use
the value as session id, though, the user will get a new session id as
it's a new session.

Nanker wrote:
> Our existing ASP.NET web application does store a session ID in the
> cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
> been stated that we need to be able to send a customer an email with a
> link to a specific page in the application, and if the user clicks on
> the email link while they are logged in to the application, they will
> be taken to that page in the application without having to log in.
> Given this:
>
> - Is this possible to read the session ID from the cookie for the
> active login and reuse it for this other request?
> - Is it possible to do this within the specific browser with which they
> are already logged in or will a separate browser have to be created?
>
> I've been trying to read up on the best overall approach to this
> problem, and I thought that asking here would provide good feedback.
> Your response is appreciated.
>
> Thanks in advance
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To reuse or not to reuse jacob navia C Programming 19 12-18-2006 07:22 AM
Help - Can I reuse existing session ID from email link? Nanker ASP .Net Security 2 09-27-2006 08:39 AM
code reuse and design reuse sailor.gu@gmail.com C Programming 16 02-12-2006 09:09 PM
Reuse paramter list and reuse connection tshad ASP .Net 5 05-17-2005 12:33 AM
To reuse or not to reuse.... Hylander Java 0 02-26-2004 12:00 AM



Advertisments