Can I put an ASP.Net session ID in a hidden form field?

Question

I'm using the Yahoo Uploader, part of the Yahoo UI Library, on my ASP.Net website to allow users to upload files. For those unfamiliar, the uploader works by using a Flash applet to give me more control over the FileOpen dialog. I can specify a filter for file types, allow multiple files to be selected, etc. It's great, but it has the following documented limitation:

Because of a known Flash bug, the Uploader running in Firefox in Windows does not send the correct cookies with the upload; instead of sending Firefox cookies, it sends Internet Explorer’s cookies for the respective domain. As a workaround, we suggest either using a cookieless upload method or appending document.cookie to the upload request.

So if a user is using Firefox, I can't rely on cookies to persist their session when they upload a file. I need their session because I need to know who they are! As a workaround, I'm using the Application object thusly:

Guid UploadID = Guid.NewGuid();
Application.Add(Guid.ToString(), User);

So I'm creating a unique ID and using it as a key to store the Page.User object in the Application scope. I include that ID as a variable in the POST when the file is uploaded. Then, in the handler that accepts the file upload, I grab the User object thusly:

IPrincipal User = (IPrincipal)Application[Request.Form["uploadid"]];

So this actually works, but it has two glaring drawbacks:

• if IIS, the app pool, or even just the application is restarted between the time the user visits the upload page, and actually uploads a file, their "uploadid" is deleted from application scope and the upload fails because I can't authenticate them.
• If I ever scale to a web farm (possibly even a web garden) scenario, this will completely break. I might not be worried, except I do plan on scaling this app in the future.

Does anyone have a better way? Is there a way for me to pass the actual ASP.Net session ID in a POST variable, then use that ID at the other end to retrieve the session?

Edit: I know I can get the session ID through Session.SessionID, and I know how to use YUI to post it to the next page. What I don't know is how to use that SessionID to grab the session from the state server.

Yes, I'm using a state server to store the sessions, so they persist application/IIS restarts, and will work in a web farm scenario.

Answer 1

The ASP.Net Session ID is stored in Session.SessionID so you could set that in a hidden field and then post it to the next page.

I think, however, that if the application restarts, the sessionID will expire if you do not store your sessions in sql server.

Answer 2

You can get your current SessionID from the following code:

string sessionId = HttpContext.Current.Session.SessionID;

Then you can feed that into a hidden field maybe and then access that value through YUI.

It's just a get, so you hopefully won't have any scaling problems. Security-problems though, that I don't know.

Answer 3

Here is a post from the maintainer of SWFUpload which explains how to load the session from an ID stored in Request.Form. I imagine the same thing would work for the Yahoo component.

Note the security disclaimers at the bottom of the post.

Answer 4

I am having difficulty in repeating the session userlogin in a hidden field. Is there something wrong with my code? I am tring 2 ways to repeat information but nothing seems to pass.

<blockquote><form method="post" action="gotoanotherwebsite" name="main" target="_self" > 
<input name="username" type="hidden" value="<% echo("UserLogin") %>" /> 
<input type="hidden" name="userid" value="<% echo(Request("UserId").ToString ())  %>; " />
</form>
<script language="JavaScript" type="text/JavaScript">
<!-- 

{
document.main.submit()
}

//  -->
</script></blockquote>