Help - Can I reuse existing session ID from email link?

I don't think you can do that.
Or at best, its more drama then its worth.
My approach would be:

generate a guid (System.Guid.NewGuid().ToString() )

Keep a table that maps this guid to a user.

Have a special page that handles these guid inputs.

www.myapp.com/EntryPoint/GuidTaker.aspx

When sending them a URL, do this
http://www.myapp.com/EntryPoint/Guid...eeeaaabbbcccdd
deee

Read the database, find the user, set their credentails, redirect them.

You might even have:
http://www.myapp.com/EntryPoint/Guid...=aaabbbcccddde
eeaaabbbcccdddeee

Where you have a few pages (like "aboutus" and it takes you to
"aboutus.aspx" or something like that).

Between the crossbrowser issue. And the fact that SessionID (I think) are
abandoned.....I don't think your approach is a good one.
You can add some logic to GuidTaker.aspx to track subsequent tries, if
they're trying an attack.

If security is an issue, then you can use 2 guids.
http://www.myapp.com/EntryPoint/Guid...eeeaaabbbcccdd
deee&checkuuid=eeefffeeeaaadddeeeecccdddeeebbbaaa& page=aboutus

The liklihood of guessing 2 guid's has to be out the roof.

You'll have to cleanup the table where you store the guid's and the userid
once in a while.

But this way, you can give the same user different entry points


"Nanker" <na****@sacbeemail.comwrote in message
news:11**********************@b28g2000cwb.googlegr oups.com...

Our existing ASP.NET web application does store a session ID in the
cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
been stated that we need to be able to send a customer an email with a
link to a specific page in the application, and if the user clicks on
the email link while they are logged in to the application, they will
be taken to that page in the application without having to log in.
Given this:

- Is this possible to read the session ID from the cookie for the
active login and reuse it for this other request?
- Is it possible to do this within the specific browser with which they
are already logged in or will a separate browser have to be created?

I've been trying to read up on the best overall approach to this
problem, and I thought that asking here would provide good feedback.
Your response is appreciated.

Thanks in advance

You can read the value of the cookie and use it, for an example to
compare it to a value previously saved in the database. You can not use
the value as session id, though, the user will get a new session id as
it's a new session.

Nanker wrote:

Our existing ASP.NET web application does store a session ID in the
cookies (ASP.Net_SessionID) for a logged in user. A new requirement has
been stated that we need to be able to send a customer an email with a
link to a specific page in the application, and if the user clicks on
the email link while they are logged in to the application, they will
be taken to that page in the application without having to log in.
Given this:

- Is this possible to read the session ID from the cookie for the
active login and reuse it for this other request?
- Is it possible to do this within the specific browser with which they
are already logged in or will a separate browser have to be created?

I've been trying to read up on the best overall approach to this
problem, and I thought that asking here would provide good feedback.
Your response is appreciated.

Thanks in advance