My company took some old php application over. Due to our preference to ASP.net and to the lack of any documentation from the previous developer, we do not want to spend much resources on developing in PHP.
For implementing new features, we will create an Asp.net application that has the same look to the user. We want to develop a kind of 'coexisting' web application. Therefore we must share sessions between an PHP and an Asp.net webapplication project, because there is a usermanagement involved with an existing MySQL database.
(e.g. link 'A' directs to the PHP website, and link 'B' directs to the asp.net application)
How can we share the session between and PHP and an asp.net application?
And does anyone have a hint for this 'coexisting' thing, that might be useful in development?
Edit: IIS 6 would be our targeted server, altough IIS 7.5 would also be an option
I want to tell you, how I ended up doing it.
Both applications access a MySQL database and access a "session" table, which consists of a Guid, the ID of the user, and a confirmationString (I guess I encoded the IDUser in it, somehow) and a date.
Sessions are only started by the PHP application (due to the fact, that the PHP application is still the main application). A new session will result in a new entry in the log table. Every link in the PHP application, that links to the ASP.Net application contains GET-Parameters, containing the Guid etc.
The ASP.net application checks for the GET-Parameters and sets the IDUser in the ASP.Net Session, if the GET-Parameters point to an existing session.
The links pointing back to the PHP application use the same technique.
(There are also other things to consider, like timeouts or logouts, but that can be handled as well)
All in all, I'd say that my approach is useful and none of the customers complained since the deployment (over 1 year ago)
I don't think it's natively possible to share sessions between PHP and ASP.NET.
However, it might be possible by using a PHP page that reads the contents of the session, stores them in hidden fields and then call an ASP.NET page that would read these fields and load them into ASP.NET session.
Theoretically it's possible.
This is an old question, but I didn't think any of the current answers were complete.
First, I think it is a bad idea to store session data in a database server like mysql or SQL Server. The DB is a precious resource, and there's really no reason to thrash it just for session data.
If you are going to store session in a database like that, there are "better" ways of doing it, like making sure that the session data is on it's own independent disk, etc... but honestly, I still feel like it's a mistake and will limit your scalability.
For storing session, you want to go with a simple key/value store, and in my opinion you can't beat memcached (though I've also had good luck with redis + nodejs).
memcached has clients available for pretty much every language on earth: http://code.google.com/p/memcached/wiki/Clients
So, basically all you need to do when using memcached is generate a pseudo-random token for the key, and do a memcached.set. Then store that key in a cookie called session-id or something.
The session-id cookie can be read from any server language, .net, php, python, whatever - and the session value retrieved with a simple memcached.get.
Check out the memcached docs: http://code.google.com/p/memcached/wiki/NewStart
This is a very simple and scalable way to do sessions, and will work with almost any language/server.
http://cz.php.net/manual/en/function.session-set-save-handler.php
http://support.microsoft.com/kb/317604
You can write PHP's sessions into MsSQL, and configure .NET to use MsSQL as backend for sessions.
Not a big deal.
Your asp app should do a three simple things:
Recieve a sessionid cookie from the client
look for the sess_<id> file in the PHP session save path
implement a PHP serialize/unserialize functions to read/write session data.
A nicer way than just hacking into session storage mechanisms on both sides would be setting up OpenId provider and plugging OpenId consumers to both asp.net and php applications.
There's lot of existing code to do it. It would be both more elegant and error prone than the low level solutions. As a bonus you could use integrated OpenId login in the rest of your company applications and become a company hero.
See: Using OpenID for both .NET/Windows and PHP/Linux/Apache web sites
Oh dear, maybe one day you'll see the error of your ways, in the meantime.....
By default, PHP writes its session data as a serialized array into a file named according to the session. The session is identified usually by a cookie with name PHPSESSID.
So in PHP to manually read the session:
$imported_session=unserialize(file_get_contents(session_save_path() . '/' . $_COOKIE[session_name()]));
The format of the file is very straightforward and simple to parse.
However its quite easy to implement your own PHP session handler to write the files in any format/to any storage you like (have a look at auto-prepend for how to associate the revosed code with every page without having to rewrite each one). Or change the name the cookie used to store the session.
C.
Related
I am new to ASP.NET (obviously). I need to create a really simple database driven user login system using ASP.NET. In PHP this is simple; just call session_start() at the top of the page and the session will be created or resumed. Then it is just a matter of connecting to the database and authenticating the user. I was able to learn this in less than 2 hours using php.
With ASP.NET and visual studio I am not having as good a luck. I have researched a bit, although not as much as I would like because I do not have a lot of time to spend on this, and read about two ways to implement logins. First you can use the password forms controls and put the user/pass info in the web.config. Second you could use the Membership API. I did not like either of these.
Is there not a way to do very simular to php where you just start the stinkin session, connect to the database, authenicate and your done? I am sure there is, I just haven't had the time required to research this as much as needed due to classes and work. I was hoping someone here could save me a little time and just tell me what to lookup! Thank you in advance!
btw, I want to use visual studio 2010 (if that matters).
If you create a web application, and use the default then it generates a template that has the full login system already implemented. You don't have to do anything, just modify the pages for your own purposes.
You should use the Membership API. It's simple, and easy. You should use the FormsAutentication system, it's secure and robust, and well tested. It takes seconds to implement, not two hours.
You can use Session.
Store the username and password on database, then you can create an ASP.Net form to log the user, where you will check if the given information match.
For example, if password and username match, you create a Session["Logged"] = true; if not: Session["Loged"] = false
Sorry about my english!
I am building a very simple asp.net application that will have a SQL Server 2008 backend.
Some users will be entering data and storing in the database and some users will be viewing data.
The SQL Server 2008 is working with Windows authentication for every user; however, I am unable to get ASP.NET working with Windows authentication yet. Is there a simple way to allow windows authentication with ASP.NET? I found a very convoluted way, but I don't like it.
I will need to audit every action that the users perform.
Should I audit the users at the application level or at the SQL Server level?
Are there already built in methods to do this? If so, how?
On the contrary, I have always found Windows Authentication to be quite easy to set up and relatively painless. Here's some guides:
Setting up
More Setting up
I didn't realize that you could audit what users did at the ASP.NET level. My answer would be to use SQL Server for this one. You'd need to log:
timestamps and user name for every action
do you need to log workstation or location where the actions were performed?
can users go to mul
if multiple locations use this application, consider storing UTC time only
all actions, even deletes, which mean that delete's only get "hidden" from the user, but never erased from the database. Same for edits, the old record should never be changed or taken out of the database.
Your best bet here is to talk to your boss about this one. Auditors can have very specific needs, and you definitely don't want to forget anything. Every situation is different, so be sure to sit down and double check all your requirements and specifications.
Two things:
Here is example on Win auth on asp.net app:
http://weblogs.asp.net/scottgu/archive/2006/07/12/Recipe_3A00_-Enabling-Windows-Authentication-within-an-Intranet-ASP.NET-Web-application.aspx
I suggest you implement a log framework like log4net to log your application. It's simple and easy to use http://logging.apache.org/log4net/download.html
I would do this from the application if it is significant HOW people accessed the data as much as the WHO, but that's quite different from rlb.usa's answer. In my past jobs, it's often been as important to know which application the person changed data from as when/who. If it's primarily for application issues, log4net is a good option.
We are planning to move one of our applications on cloud, but somewhere I read that using session in cloud can be dangerous. but this blog dosen't explain any danger as such.
I wanted to know that is there really any threat in using session for cloud applications?
I am new to the forum so excuse if I have commited any mistake and please guide me to correct the same.
If you plan to run your application across several nodes, you will need to take load balancing and out-of-proc sessions into account, but there's nothing inherently insecure about using sessions while your servers are hosted somewhere else.
That just doesn't make any sense.
If 'dangerous' means that in certain situations the use of Session won't work, then you're right if you would be using Azure to host your cloud application. Then it depends on the number of instances you are running.
If you're only running 1 instance then you can use Session (that lives in memory on the instance) without changing anything. But if you're using more than 1 instance (the requests are being load balanced and each request can be handled at a different instance) in memory Session won't work out of the box. To resolve this you're able to use 3 different ways to store session.
See this question for more information:
ASP.NET session state provider in Azure
Is there a proper .NET solution for providing persistent server sessions over multiple domains?
i.e. If a user of the site logs in under www.site1.com, they will also then be logged in under www.site2.com
Security is an issue with the program we are working on...
Thanks!
Does it need to be in the session or are you looking for a single signon solution. If the latter take a look at something along the lines of ADFS
http://en.m.wikipedia.org/wiki/Active_Directory_Federation_Services?wasRedirected=true
You may want to start here instead of hacking into the ASPState database(possible, but I don't recommend it): http://www.codeproject.com/KB/session/sharedsession.aspx
Basically you set the AppDomain to be the same for both www.site1.com & www.site2.com using reflection.
You also may need to AppPath as well, we needed to, but our setup was slightly different than what you have. We added:
FieldInfo appDomainInfo = typeof(HttpRuntime).GetField("_appDomainId", BindingFlags.Instance | BindingFlags.NonPublic);
appDomainInfo.SetValue(theRuntime, "/LM/W3SVC/1/ROOT/A_Website_Name_Here");
The word 'session' can be a little confusing in ASP.NET.
If you are talking about security (authentication and authorization), you are probably looking for a Single Sign-On solution. In other words, when a user logs into one site they won't be prompted to log into another related site. Take a look at Windows Identity Foundation, OAuth, Jasig CAS. CAS is my preferred solution (I'm a developer on the .NET client), but the server is written in Java and you'll need some expertise with Java to get it configured the way you want.
In ASP.NET, Session state is a completely separate component from authentication and authorization (although it can depend on the result of the authentication step). If you are trying to share information between the 2 sites (i.e., shopping cart contents), you can either configure both domains to use the same database as a Session provider (google aspnet_regsql -ssadd) or you can just store the data in a database that is accessible by both.
For more info on why I emphasize the distinction, check this out: http://www.codeproject.com/KB/aspnet/ASPDOTNETPageLifecycle.aspx
Good luck.
Try using the canonical hostname URL Rewrite feature of the IIS 7.5 Url Rewrite 2 Module: Download
(This answer relies on both URL have hostheader entries for the same web application)
I'm working on a .NET 3.5 Web Application and I was wondering what would be good way to persist user specific settings (i.e. user preferences) server-side?
Here are the conditions:
It needs to be able to store/retrieve
settings based on a User ID
I don't want to use SQL Server or any such DB engine
I don't want to store it in cookies
Any guidance would be greatly appreciated.
Edit: If it makes any difference, it doesn't have to support a web farm.
Use the ASP.NET Profile feature for this. See ASP.NET Profile Properties Overview
If you want to persist data, and you don't want to use a database, then you need to save the data to disk (such as XML). If you're looking for something that isn't local to your server, you could use a SaaS solution that would host your data for you, such as Amazon's S3 service. If you do that, the latency of data retrieval will slow your application down, so you'll want to cache the data.
Text files (JSON/XML/etc), though security then becomes an associated problem.
Given those parameters, you could just keep track of your own user preferences XML file on the server.