Thursday, March 15, 2007

Interested in server-side session state ?

I've been trying to make my Flex based client to end up in the same server-side session upon each HttpService request.

Each request to a session-enabled ASP.NET page returns a cookie with the session id. By sending this ASP.NET_SessionId cookie back upon each request you can benefit from the session support built in ASP.NET.

There's one problem however: there doesn't seem to be a way to get the cookie information after an HttpService request... This is not going to stop us of course :)

The solution is easy:

- Create an ASP.NET page that returns the session id (in the 'normal' page output)
public partial class Login : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
Response.Clear();
Response.Write(Session.SessionID);
Response.End();
}
}

- Store the session id in your Flex application for re-use
...
var sessionCookie: String;
private function loginRequestHandler(event:ResultEvent):void
{ sessionCookie = event.result.toString(); }
...

- Re-use the cookie information with each new request:
...
userRequest.headers = "Cookie: ASP.NET_SessionId=" + sessionCookie;
userRequest.send();
...

4 comments:

Unknown said...

Hey Ria,

My Flex application consumes a stateful .NET webservice which uses Session.

I saw your post on HTTPService header being set with the cookie ASP.NET_SessionId. I tried to do the same with the Webservice.headers. But seems like Webservice.headers is a read only property. Do you know any work around for this?

I also tried

var qName:QName:new QName("https://tollynation.com","Cookie:ASP.NET_SessionId");

var header:SOAPHeader=new SOAPHeader(qName,sessionCookie);

sendService.addHeader(header);



The above doesn't seem to take me anywhere.

Please let me know your inputs on this.

Thanks,
Kiran.

Anonymous said...

I have some security concerns about this approach. Basically what this means is anyone could spoof a session state. Probably not a great idea for most web apps.

Palmero Tom said...

It's not safer or unsafer than any other session enabled web application.

Unknown said...

Has anyone successfully done this? Kiran.. did you solve your problem. Im facing the exact same.