Firstly, please don’t dismiss this question – I’m aware it’s an ugly situation but hey, real life isn’t pretty.
I’m developing an extra section to a web app that’s written in asp.net, but in php – it’s mostly done (the two parts don’t really communicate with each other outside of a database – the integration is mostly just cosmetic.)
The only issue I have is detecting from the php part when the .net session has expired so that it logs the user out and redirects to the login page.
I believe the asp.net application is compiled, but either way I’m not allowed to alter it so I was thinking maybe the best thing to do would be to make a very small/simple aspx page that outputs true or false which I could call using curl from php (and passing the browser’s cookies along.)
Would this even be possible? I’m not sure how session security works on asp.net eg whether one .net application can read another’s session variables, but if it’s anything like php then it’ll be possible.
mypage.php --curl--> checksession.aspx --|
| |
<----------- true / false <---------------
So mypage issues a GET (with cookies from browser) to checksession using curl, checksession simply returns a true or false (or something like that) and mypage redirects to the site’s login page if that’s false.
The authentication for the php side is already sorted out and is separate to this issue.
So really, what I need to know is can I have just a simple .aspx file that does this check, and if so where would I go to to find out how to program such a simple page? If it’s just a line or three, please could you let me know what those lines would be (I’m sorry I’ve never done any .net stuff..)
If this isn’t possible, then if you don’t mind, could you provide some alternative solutions? Thanks!
— EDIT —
After spending most of the day with this problem, I’m now thinking that using php at all to get around this is a bad idea. There’s actually two levels of authentication involved (one is normal HTTP request/response login type thing, then there’s the .net session) – on top of that I totally missed the point that obviously these sessions are almost certainly going to be backed up by the IP of the users browser which I’d have to spoof or something coming from curl as that’ll be running on the server.
So I think I’m going to use jQuery somewhere in the header of my page to check and redirect as required…somehow :/
— EDIT 2 —
Ok, so the javascript way has suited my needs pretty well – obviously it’s not a secure way of doing things, but fortunately in this case it’s ok as this is just an app used on the intranet (and the shoddy way they authenticate users is terrible anyway.)
There are multiple ways here. First of all, the cookies alone won’t do much, because the session can be expired in ASP.net even though the Cookie is still alive.
ASP.net supports multiple SessionStates, of which two are common:
Scenario 2 is your best bet, because you can just read the session id from the cookie and query the SQL Server database for the session info.
in Scenario 1, your approach is the correct one: You need help from the ASP.net Application, which can be a .aspx page. Make a request from PHP passing in the session cookie and check Session.SessionID and Session.IsNewSession to make sure the ID Matches and IsNewSession should be false – otherwise, ASP.net just recreated a new Session.
You may have to interact with the Session from the ASP.net page to activate it (
Session["PingFromPHP"] = true) which may interfere with the ASP.net Application if your key (the name in the []-brackets) has the same name.If the ASP.net Application is compiled, put the .aspx.cs file that serves as the code behind into a folder named App_Code, this should allow you to run it.
Hope that gets you started.