asp cookieless session URL munger??

I have a small ASP site running, which uses Session Cookies to support
Session state.

I'm being asked to get rid of the dependancy on the availability of
session cookies.

I know there'd been an ISAPI filter around that would put the session
variable into the URL and links (what asp.net does to get cookieless
sessions), but can't find any mention of it right now (when I need it!).

1) Has anyone heard of this kind of add-on, and

2) Should I just bite the bullet and pass my own session id around keep
my own session data??

-- Thanks

re: asp cookieless session URL munger??

Hi Chris,

Thank you for using MSDN Newsgroup. I am Luke and I am review this issue
currently. From the description, you want remove the dependency on session
cookies in your ASP application.

ASP Session is cookies based. If we use ASP Session object, the browser
must be configured to receive cookies. Without cookies, we have to create
customized components to contro the session. A ways is as you state: ISAPI
filter. I remmeber the IIS 4.0 Resource Kit provided a similar feature. It
was implemented as an ISAPI filter that could modify the incoming and
outgoing byte stream to write and read the necessary information. For later
version of IIS, we may need to resort some third party products.

Another way to pass session ID without cookie is with hidden iput field.
You may refer to following article:

http://www.tizac.com/tzsessions/

Hope this help,

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no

rights.)

re: asp cookieless session URL munger??

The filter was called Cookie Munger. As I understand it, it did work but had
several drawbacks.

1. performance
The way it worked was to scan outgoing HTML content for links to ASP pages
and modify them to include the session cookie as part of the URL. On
incoming requests the URL was examined and the session cookie was added back
to the HTTP header. Incoming was not to bad but outgoing meant that every
page had to be parsed.

2. might not get every link
If you used JavaScript code to redirect the browser anywhere (as in
self.location=...) then you would not get a session cookie.

--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com


"Chris" <chris@hicom.net> wrote in message
news:kNnNb.39679$G04.9592002@news4.srv.hcvlny.cv.n et...[color=blue]
> I have a small ASP site running, which uses Session Cookies to support
> Session state.
>
> I'm being asked to get rid of the dependancy on the availability of
> session cookies.
>
> I know there'd been an ISAPI filter around that would put the session
> variable into the URL and links (what asp.net does to get cookieless
> sessions), but can't find any mention of it right now (when I need it!).
>
> 1) Has anyone heard of this kind of add-on, and
>
> 2) Should I just bite the bullet and pass my own session id around keep
> my own session data??
>
> -- Thanks[/color]