Cookieless Session


Introduction

There are various reasons to adopt cookieless session. Recently, I implemented cookieless session and in that process, I went through many articles on the internet, but none of them have gone in depth to bring it all together.
To implement cookieless sessions, you don't have to modify your programming model—a simple change in the web.config file does the trick. But with that can come uncovered scenario and you would end up spending considerable time fixing it up just like I did. So let's get started with what and how it has to be changed to make cookieless work for you with no issues.
Now let us go through the steps one by one:

Step 1: Adjust the web.config file

Interestingly enough, you don't have to change anything in your ASP.NET application to enable cookieless sessions, except the following configuration setting.

<sessionState cookieless="true" />                    
<authentication mode="Forms">                     
     <forms loginUrl="Login.aspx" protection="All" timeout="30" name=".ASPXAUTH" path="/" requireSSL="false" slidingExpiration="true"  defaultUrl="default.aspx"    cookieless="UseUri" enableCrossAppRedirects="true"/>                   
  </authentication>

Step 2: Adjust all of the URL navigations in aspx files

Be careful, the following code breaks the session:

<a runat="server" href="/test/page.aspx">Click</a>
To use absolute URLs, resort to a little trick that uses the ApplyAppPathModifier method on the HttpResponse class. The ApplyAppPathModifier method takes a string representing a URL and returns an absolute URL that embeds session information.

<a runat="server" href="<% =Response.ApplyAppPathModifier("page.aspx")%>"  >Click</a>

Step 3: Adjust all of the URL navigations in aspx.cs files

If the URL is set in the code, you need to do it in the following way:

this.Tab2.Url = Response.ApplyAppPathModifier("Page.aspx");

Step 4: Create HttpModule to rewrite your incoming URL for enabling cross domain posts


using System;
using System.Collections.Specialized;
using System.Web;
using System.Web.SessionState;
using System.IO;
using System.Text;
 
namespace CustomModule
{
  public sealed class CookielessPostFixModule : IHttpModule
  {
    public void Init (HttpApplication application)
    {
      application.EndRequest += new
                  EventHandler(this.Application_EndRequest);
    }
    private string ConstructPostRedirection(HttpRequest req,
                                            HttpResponse res)
    {
      StringBuilder build = new StringBuilder();
      build.Append(
  "<html>\n<body>\n<form name='Redirect' method='post' action='");
      build.Append(res.ApplyAppPathModifier(req.Url.PathAndQuery));
      build.Append("' id='Redirect' >");
      foreach (object obj in req.Form)
      {
        build.Append(string.Format(
  "\n<input type='hidden' name='{0}' value = '{1}'>",
          (string)obj,req.Form[(string)obj]));
      }
      build.Append(
  "\n<noscript><h2>Object moved <input type='submit'
                                       value='here'></h2>
                                       </noscript>");
      build.Append(@"</form>
      <script language='javascript'>
      <!--
      document.Redirect.submit();
      // -->
      </script>
      ");
      build.Append("</body></html>");
      return build.ToString();
    }
    private bool IsSessionAcquired
    {
      get
      {
        return (HttpContext.Current.Items["AspCookielessSession"]!=null && 
        HttpContext.Current.Items["AspCookielessSession"].ToString().Length>0);
      }
    }
    private string ConstructPathAndQuery(string[] segments)
    {
      StringBuilder build = new StringBuilder(); 
 
      for (int i=0;i<segments.Length;i++)
      {
        if (!segments[i].StartsWith("(") 
                 && !segments[i].EndsWith(")"))
          build.Append(segments[i]);
      }
      return build.ToString();
    }
    private bool IsCallingSelf(Uri referer,Uri newpage)
    {
      if(referer==null || newpage==null)
        return false;
      string refpathandquery = ConstructPathAndQuery(
                                        referer.Segments);
      return refpathandquery == newpage.PathAndQuery;
    }
    private bool ShouldRedirect
    {
      get
      {
        HttpRequest req = HttpContext.Current.Request;
 
        return (!IsSessionAcquired
                    && req.RequestType.ToUpper() == "POST"
          && !IsCallingSelf(req.UrlReferrer,req.Url));
      }
    }
    private void Application_EndRequest(Object source, EventArgs e)
    {
      HttpRequest req = HttpContext.Current.Request;
      HttpResponse res = HttpContext.Current.Response;
      if (!ShouldRedirect) return;
      res.ClearContent();
      res.ClearHeaders();
      res.Output.Flush();
      char[] chr = ConstructPostRedirection(req,res).ToCharArray();
      res.Write(chr,0,chr.Length);
    }
    public void Dispose()
    {}
  }
}
For the above to be effective, make the below change to your web config:

<httpModules>
   <add type="CookielessPostFixModule, OurModule"
              name="CookielessPostFixModule" />
 </httpModules>


Comments

Post a Comment

Popular posts from this blog

RabbitMQ setup and cluster configuration on a windows network

Image
  Queuing has been integral part of application architecture for quite sometime and therefore there are number of frameworks available to let you manage Queue/Bus. Queue as you may know is used when you have one node to process your message and Bus (Service Bus/Topic) is used when there is more than one node that needs to process the message. RabbitMQ is one of available framework along with MSMQ, Kafka, Azure Service Bus and etc. RabbitMQ is one of the most popular framework as it can be used to create highly available and fault tolerant cluster of nodes that hold the queue's and message's for processing. In the writeup we will try to install RabbitMQ cluster on couple of windows machines which can be easily translated to containerised application using docker. 1) To install docker visit RabbitMQ official  and download required file, once downloaded execute the exe and follow the wizard. You may be asked to install Erlang in the process as that is one of the primary requiremen
Read more

Gitflow using source tree

Image
In early 2010, Vincent Driessen wrote an article called   “A successful Git branching model”  which recommended an approach called  git-flow  to use git branches in your development cycle. The idea was to standardise branching and merging when developing features, handling releases and managing hot fixes, in order to be consistent and gain the advantages of git’s ‘branchy’ development model. Using many separate branches in Git gives you lots of flexibility, but it can get complex. Adopting a standardised approach has many advantages: ·         Keep your repository tidier ·         Keep your procedures clearer ·         Move between projects more easily with familiar branch structures ·         Get new developers up to speed more quickly SourceTree   now integrates with git-flow and presents it to you in a friendly and intuitive way. Summary of the concept The general idea of git-flow is to use the following branch structure in your repository: ·         Develop
Read more

Component analysis for application security

Image
If you are into writing software you probably follow security practices to keep your application secure. Since most of the platforms are now open source we consume a lot of open source components in our projects. It happened sometime back when a vulnerability was found in one of the popular components(log4j) and companies were clueless about the existence of any such issue as a result many kept running their software on the vulnerable version of log4j. You may not have been impacted or attacked for that matter but never know when it's your turn, is best to have protection against scenarios where components/license used in thrid party component becomes vulnerable/outdated. I recently stumbled upon  Dependency-Track  , it works in two parts:- Identify the list of components in your project, which is also called the SBOM (Software bill of material). CycloneDX can be installed with just a few commands to generate SBOM. Upload BOM to Dependency-Track using UI/API which then scans it aga
Read more

Analyse log using plug and play FileBeat

Image
ELK-B stack is one of the powerful frameworks for log analysis which helps to draw important business decisions and helps evolve ALM. There are few ways to inject data in Elasticsearch for analysis  Writing data using REST API    Using available frameworks(Serilog, NLog, etc) that have an abstraction layer and does all the REST calls behind the scene for you. While changing code is the most popular method but it may not be always possible/viable, also sometimes you do not have access to the environment and all you have is the log files in one format or another.  Filebeat is another powerful plugin in the ELK-B stack that can help you analyze logs without changing code, all you need to do is download FileBeat  and unzip the file. Once you have extracted the content open filebeat.yml and under  filebeat.inputs: of filebeat.yml   locate  paths:          paths maintains list of folders or docker path that will contain logs:-          paths:                   - C:\ProductService\logs\*   
Read more

Introduction to Blazor

Image
WebAssembly (abbreviated Wasm) is a binary instruction format for a stack-based virtual machine. Wasm is designed as a portable compilation target for programming languages, enabling deployment on the web for client and server applications. Blazor is new addition to .Net arsenal which is based on WebAssembly and using that enables developers to create web apps using C# and HTML, hence removing dependency on JavaScript framework like Angular/React and etc. If we are to compare blazor with ASP.NET MVC above would be content in .cshtml file which in this case becomes .razor file, code for MVC controller is also embedded in .blazor page for blazor applications. There are 2 main flavors of Blazor:- 1) Blazor web application. In this case application is hosted in IIS and only html travels to the client application for every action on the page client communicates back to the server with information of action on client side. Server version will then send back response back to the client which
Read more

What Interview Is/Is Not for an interviewer

After spending more than decade and having participated in hundreds of interviews, following is my list of what interview "Is" and "Is Not" from interviewers stand point. Interview Is:- Opportunity to meet someone with a set of experience in which they have learned their own ways of doing things and may help you learn something new. To learn what worked for them and what didn't, also the reason why it was success or failure for them. Which provides you free knowledge which can help you avoid your next failure and probably this is not documented and you would have failed. To help build a better work force, so energy invested today in interviewing will save you a lot in future. Interview Is Not:- To ask questions which may not be needed for the role. To ask questions which you can't answer yourself, In doing so you will never know if the person is right/wrong. You can ask such questions to see if they bluff or become impatient but not to test t
Read more

.NET MAUI and Blazor to create windows/web and mobile application (.NET 6.0)

Image
If you are a .NET developer you would know the following frameworks are generally used for development:- I can tell you from my personal experience that this is not an easy stack to master and something that I have struggled with time. While you can solve problems with the tech stack of windows and the web by using ElectronNET with ASP.NET Core or Blazor, the problem still persists for mobile applications. Now, what if told you that you can do all of the above by just using 1 framework along with Blazor, exciting isn't it. .NET MAUI does just that and saves you from a lot of trouble learning and managing various frameworks. What is .NET MAUI:- .NET Multi-platform App UI (.NET MAUI) is a cross-platform framework for creating native mobile and desktop apps with C# and XAML or Blazor. So if you know Blazor you can write a web app and SPA but when combined with .NET MAUI you can use your skillset to create and deploy the application on web/mobile/desktop. Framework stack now would look
Read more

Azure

Image
What is Azure Cloud:- Microsoft has been building highly scalable applications in datacenters around the world—applications that have global reach and high availability, and offer great functionality to users. Azure allows you to take advantage of the same infrastructure to deploy your own applications, with the corresponding capabilities to reduce your maintenance requirements, maximize performance and minimize costs. Though we know that cloud adds lot of value but that only happens when it is done right and hence we need have thought of  below before taking a call:- 1. Always plan for the long-term . It’s easy to be tempted by solutions that promise immediate benefit and what looks like the quickest route to the cloud.  While the PaaS (platform as a service) approach may appear more complex, the long-term benefits such as built-in elasticity, service healing, patch management, and so forth, make it a worthwhile investment that will pay dividends both on the technology and busi
Read more

WCAG Accessibility

When designing a website or web application we consider other aspects of UI/UX whereas we always forget to consider people with disability. Lets have a look at statistics of users with disability in USA. 19.9 million (8.2%) have difficulty lifting or grasping. This could, for example impact their use of a mouse or keyboard. 15.2 million (6.3%) have a cognitive, mental, or emotional impairment. 8.1 million (3.3%) have a vision impairment. These people might rely on a screen magnifier or a screen reader, or might have a form of color blindness. 7.6 million (3.1%) have a hearing impairment.  They might rely on transcripts and / or captions for audio and video media. If we look at above number large user base is having some sort of disability hence if application is designed with accessibility in mind it can bring in more user which would translate to success of the product/website. Also it is being made mandatory  by law for software applications to be designed as per accessibility standa
Read more

Clean Architecture

Image
 We have always heard and talked about N-Tier and N-Layer architecture along with SOLID and SOC, but as the size of application along with complexity has changed over a period of time do has application architecture. Also since teams have adopted agile, releases are much more frequent than they used to be a few years back. In the light of the changing landscape, it is important to structure your application design in a way to give best practices, manageable code, loosely coupled features/functionality, and the least possible change propagation into various layers of the application. Popular architecture:- Layered/N-Tiered architecture Monolithic architecture Microservices architecture Event-driven architecture Service-oriented architecture What is Clean Architecture:-     Clean architecture is another name for Onion architecture, it can be viewed as an onion that consists of various application layers, can be primarily divided into 2 parts i.e Core and Peripheral layers. In the below s
Read more