ASP.Net session issue

views:

103

answers:

+1 Q:

ASP.Net session issue

Hello everyone,

I am using VSTS 2008 + C# + .Net 3.5 + IIS 7.0 + ASP.Net. I am wondering if I have both aspx page and html page in my web site, will session variable be transferred only in aspx page? Or session could be transferred in both aspx and html page? (transfer I mean user click link inside my web site to traverse through my site, for example I have 1.aspx, 1.html and 2.aspx in my web site, 1.aspx has link to 1.html, when user clicks 1.html link in 1.aspx to go to 1.html, I mean transfer to 1.html.)

I have this confusion because in aspx we can easily access session status from ASP.Net Session object, but for html page, I am not how session is maintained.

Another confusion is, I think session is a concept for ASP.Net, not for html page, so I think session is maintained only in aspx page. Please correct me if I am wrong. :-)

thanks in advance, George

+2 A:

Normally, HTML pages have no access to server side functionality because they are just rendered out exactly as is. By default they aren't served by the ASP.NET engine, so you can't actually do any .NET work in an HTML page.

If you want to work with a session, you should use something like an ASPX page.

Pete OHanlon 2009-09-15 09:21:54

Thanks Peter, I want to confirm with you that if user traverse from 1.aspx to 2.sapx to 3.html to 4.aspx, then at the point of 3.html, the session variable will be lost, and in 4.aspx previous session information could not be retrieved?

George2 2009-09-15 09:28:00

George2. The session information isn't lost, as it lives with the users session, and is unrelated to the user requesting the HTML page.

Pete OHanlon 2009-09-15 10:13:04

+3 A:

No, the session won't be lost. ASPX -> HTML -> ASPX is OK.

In the sequence above the request for the HTML page will also receive the cookie but it will be ignored.

When the Session is created a cookie sent to the browser (essentially, it functions as a lookup key into the server-side Session logic). Every request to the same domain from that browser instance will include the cookie, regardless of the target.

To see this create an .aspx page the uses the Session (e.g. Session["x"] = "foo";) and make the page reference a couple of other resources, such as an image or script.

If you then use a HTTP traffic monitor, such as Fiddler or Charles Proxy (both work with all browsers), you'll see the cookie included in every request.

The .aspx page will respond with a Set-Cookie: header, and subsequent browser requests will include a Cookies: header.

devstuff 2009-09-15 09:48:00

Thanks! I have verified you are correct! I have a related question here, appreciate if you could take a look.http://stackoverflow.com/questions/1426117/forms-authentication-security-risk

George2 2009-09-15 10:03:17

Fiddler works fine for any web browser, by the way. www.fiddler2.com/fiddler/help/hookup.asp

EricLaw -MSFT- 2009-09-15 13:44:03

@Eric: Thanks for the clarification, I'll tweak the answer.

devstuff 2009-09-15 23:16:23

+1 A:

As devstuff said, the session won't be lost, but you can't access the values of the session in the html page, as the session value lives on the server, and html is 100% static on the server side.

If you need to use session inside the html, you should convert it to aspx, but this is really not difficult, as html markup is valid also in aspx.

awe 2009-09-15 09:59:21

Thanks for your advice!

George2 2009-09-15 10:03:59

ansaurus

tags:

views:

answers:

ASP.Net session issue

related questions