ASP.NET SessionID In URL

Question

I'm taking over a ASP.NET web application that passes the session id in the URL string. There is an odd bug that I have to assume has something to do with a server configuration but I'm at a loss.

Page A has a URL string that looks pretty much like this:

http://whateverqa.com/NTapsWeb/(S(yn5cby55lgzstcen0ng2b4iq))/List_Forms.aspx?wid=__zzwid1

when you click a button it goes to Page B that displays some information, when you click Exit on that page it takes you back to page A but notice how it moves the session id in the url back behind NTapsWeb:

http://whateverqa.com/(S(yn5cby55lgzstcen0ng2b4iq))/NTapsWeb/List_Forms.aspx?wid=__zzwid1

This leaves me with a page error that says:

"You are not authorized to view this page

You do not have permission to view this directory or page using the credentials that you supplied.

Please try the following:

Contact the Web site administrator if you believe you should be able to view this directory or page. Click the Refresh button to try again with different credentials. HTTP Error 403 - Forbidden: Access is denied. Internet Information Services (IIS)

---

Technical Information (for support personnel)

Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403. Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Authentication, and About Custom Error Messages."

The strange thing is this is the way it works on the production server and it works just fine with the Session ID moving down in the string. If I copy the session ID back up and put this in after the error:

http://whateverqa.com/NTapsWeb/(S(yn5cby55lgzstcen0ng2b4iq))/List_Forms.aspx?wid=__zzwid1

it loads fine. Again, this works fine in Production, just doesn't work on the QA server.

Answer 1

Thanks for the response. It's not a time out issue, because as I mentioned if I move the session ID up in the url it works again, so the data is still there.

The code for the exit button is in JavaScript and it as follows:

<script type="text/javascript">
function ExecFuncInMain(id, arg)
{
    //alert('test'+id);
    var o = window.top._mainWindow.document.all[id];
    if(o!=null)
    {
        var s = o.onclick+"";
        //alert(s);
        if(s!=null && s!='null') 
        {
            s = s.replace("javscript:", "").replace("\n", "").replace("\n", "").replace("\n", "").replace("\n", "").replace("\n", "").replace("{", "").replace("}","");
            s = "window.top._mainWindow."+s.replace("function anonymous()", "")+";";
        }
        else s = s.replace('null','');
        s = s+"window.top._mainWindow.__doPostBack('"+o.id+"', '');";
        //alert(s);
        eval(s);
    }
    else alert("object is null");
}

Answer 2

In web.config find the line sessionState and make sure cookieless is set to false, so it looks something like this:

<sessionState mode="InProc" cookieless="false" timeout="400"></sessionState>

Answer 3

Yep, it's set as:

    <sessionState timeout="480" mode="InProc" cookieless="true"></sessionState>