We have an asp app that is configured to use cookieless sessions [URL format xyz.com/(SSID)/page.aspx]. We also use cookie sharing (Forms authentication) between some of our apps - and that works fine. Our customers when not logged in, are typically redirected
to Login.aspx page of whatever app they work with. Then they seamlessly can navigate between any two apps.
Now we started to have 3rd party customers who wish to auto-login to our app. They suggested posting to the login page (http POST) their credential plus some other information that we need to store from their 3rd party app. The problem now we found is
that when they do a POST request [QS param1=x, param2=y, FORM param3=t, param4=z] to our Login.aspx - IIS immediately sends 302 redirect without preserving param3, param4 from the form:
POST Login.aspx [QS param1=x, param2=y, FORM param3=t, param4=z]
302 GET /(NEW SSID)/Login.aspx [QS param1=x, param2=y]
since some of the data (param3=t, param4=z) could be large for GET request - we need to find a way on how to preserve the POST while working with cookieless IIS behavior.
Hope I laid out the info straight forward and we would appreciate any guidance,
IIS is working correctly (the same redirect would happen with cookie sessions, only instead of a url with a sessionid, a cookie header would be added). its a bug in their client code, it should repost to the new url, same as a browser would.
None
0 Points
44 Posts
POST request in conjuction with cookieless session & logging in
Sep 23, 2014 10:08 AM|avarair|LINK
Hi All,
We have an asp app that is configured to use cookieless sessions [URL format xyz.com/(SSID)/page.aspx]. We also use cookie sharing (Forms authentication) between some of our apps - and that works fine. Our customers when not logged in, are typically redirected to Login.aspx page of whatever app they work with. Then they seamlessly can navigate between any two apps.
Now we started to have 3rd party customers who wish to auto-login to our app. They suggested posting to the login page (http POST) their credential plus some other information that we need to store from their 3rd party app. The problem now we found is that when they do a POST request [QS param1=x, param2=y, FORM param3=t, param4=z] to our Login.aspx - IIS immediately sends 302 redirect without preserving param3, param4 from the form:
POST Login.aspx [QS param1=x, param2=y, FORM param3=t, param4=z]
302 GET /(NEW SSID)/Login.aspx [QS param1=x, param2=y]
since some of the data (param3=t, param4=z) could be large for GET request - we need to find a way on how to preserve the POST while working with cookieless IIS behavior.
Hope I laid out the info straight forward and we would appreciate any guidance,
Avarair
All-Star
20376 Points
6505 Posts
ASPInsiders
MVP
Re: POST request in conjuction with cookieless session & logging in
Sep 23, 2014 10:28 AM|BrockAllen|LINK
The first thing I'd suggest is to stop using cookieless session state, as it has security issues:
http://brockallen.com/2012/04/08/cookieless-session-considered-dangerous/
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
None
0 Points
44 Posts
Re: POST request in conjuction with cookieless session & logging in
Sep 23, 2014 10:43 AM|avarair|LINK
thanks for the reply - but the decision to use or not cookies is not after me ....
All-Star
20376 Points
6505 Posts
ASPInsiders
MVP
Re: POST request in conjuction with cookieless session & logging in
Sep 23, 2014 10:46 AM|BrockAllen|LINK
I understand. But it's affecting you and the security of the app. It's something that might be worthwhile discussing with your group.
DevelopMentor | http://www.develop.com
thinktecture | http://www.thinktecture.com/
All-Star
57884 Points
15513 Posts
Re: POST request in conjuction with cookieless session & logging in
Sep 24, 2014 11:03 AM|bruce (sqlwork.com)|LINK
IIS is working correctly (the same redirect would happen with cookie sessions, only instead of a url with a sessionid, a cookie header would be added). its a bug in their client code, it should repost to the new url, same as a browser would.