Re: Access session of another user SOLVED

---

• From: Nick Gilbert <nickg@xxxxxxxxxxxxxxxx>
• Date: Mon, 18 Sep 2006 17:20:49 +0100

---

Walter,

Thanks for your suggestion. However as I was short of time and don't know anything about Profiles, I found a quick alternative solution:

It seems you can access an arbitrary session if you put their session ID in the URL - even if cookieless sessions are disabled in web.config (to me this seems like a massive security hole and cookieless session URLs should NOT work if it's been disabled in web.config, but at the moment, I'm not complaining as it really helps me out).

Below are details of exactly how I fixed the problem in case there are others with the same issue finding this thread. (This solution is for WorldPay but might work with other payment providers who support dynamic callback URLs)

You make the callback page URL dynamic. You pass the asp.net session ID to the payment provider in a custom variable:

<input type="hidden" name="MC_callback" id="MC_callback" runat="server">
Then set it to Session.SessionID.ToString() in codebehind.

Then in Worldpay, you configure your callback to embed the session ID in the URL:

http://w.com/(S(<WPDISPLAY ITEM=MC_callback>))/callback.aspx

The /(S(<blah>))/ syntax tells .NET that that's your ASP.NET session ID (cookieless). This seems to work even if cookieless session IDs are disabled in web.config - which is handy.

That means your callback page executes within the user's current context and therefore has access to their session and shopping basket.

You can then clear their basket from the codebehind of this page if their purchase was successful.

However I'm going to implement your solution in my next e-commerce site as it seems a nicer way to solve the problem.

Thanks!

Nick...
.

---

• References:
  • Access session of another user
    • From: Nick Gilbert
  • RE: Access session of another user
    • From: Walter Wang [MSFT]

• Prev by Date: newbie: What am I missing here?
• Next by Date: access is denied error in a FileUpload control
• Previous by thread: RE: Access session of another user
• Next by thread: Re: Access session of another user SOLVED
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Problem with RaiseCallbackEvent ... they are both async processes, and the browser does not guarantee ... processing for each session. ... During the client callback, a ... debugger in IE, it displays incorrect behavior. ... (microsoft.public.dotnet.framework.aspnet) Re: how to check end of session with clientcallback page? ... session variable instead of just the nickname. ... (or you could force the session expiration when the first callback wihtout ... The user first must choose a nickname. ... and pages which use the clientcallback method, ... (microsoft.public.dotnet.framework.aspnet) Secpay and Sessions ... My problem is connected with the fact that the callback page ... any attempt to access cookies or session data fails ... Session Cookie and the destroy the session file, ... (alt.php) Re: Session.Timeout ... prevent the session from timing out, ... around for an hour after the user has closed his browser. ... You could use a regular (once every 10 minutes is enough, ... except (by it's callback) refresh the session. ... (microsoft.public.dotnet.framework.aspnet) Re: Cookies:Sites which always work ... Bruce Barker wrote: ... > cookieless session work but encoding the session in the url. ... > if you use redirect, you need to include the session id in the redirect url. ... (microsoft.public.dotnet.framework.aspnet)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > DotNet  > microsoft.public.dotnet.framework.aspnet  > 2006-09