Detecting an expired asp.net session from php

Question

Firstly, please don't dismiss this question - I'm aware it's an ugly situation but hey, real life isn't pretty.

I'm developing an extra section to a web app that's written in asp.net, but in php - it's mostly done (the two parts don't really communicate with each other outside of a database - the integration is mostly just cosmetic.)

The only issue I have is detecting from the php part when the .net session has expired so that it logs the user out and redirects to the login page.

I believe the asp.net application is compiled, but either way I'm not allowed to alter it so I was thinking maybe the best thing to do would be to make a very small/simple aspx page that outputs true or false which I could call using curl from php (and passing the browser's cookies along.)

Would this even be possible? I'm not sure how session security works on asp.net eg whether one .net application can read another's session variables, but if it's anything like php then it'll be possible.

mypage.php --curl--> checksession.aspx --|
|                                        |
<----------- true / false <---------------

So mypage issues a GET (with cookies from browser) to checksession using curl, checksession simply returns a true or false (or something like that) and mypage redirects to the site's login page if that's false.

The authentication for the php side is already sorted out and is separate to this issue.

So really, what I need to know is can I have just a simple .aspx file that does this check, and if so where would I go to to find out how to program such a simple page? If it's just a line or three, please could you let me know what those lines would be (I'm sorry I've never done any .net stuff..)

If this isn't possible, then if you don't mind, could you provide some alternative solutions? Thanks!

-- EDIT --

After spending most of the day with this problem, I'm now thinking that using php at all to get around this is a bad idea. There's actually two levels of authentication involved (one is normal HTTP request/response login type thing, then there's the .net session) - on top of that I totally missed the point that obviously these sessions are almost certainly going to be backed up by the IP of the users browser which I'd have to spoof or something coming from curl as that'll be running on the server.

So I think I'm going to use jQuery somewhere in the header of my page to check and redirect as required...somehow :/

-- EDIT 2 -- Ok, so the javascript way has suited my needs pretty well - obviously it's not a secure way of doing things, but fortunately in this case it's ok as this is just an app used on the intranet (and the shoddy way they authenticate users is terrible anyway.)

Answer 1

There are multiple ways here. First of all, the cookies alone won't do much, because the session can be expired in ASP.net even though the Cookie is still alive.

ASP.net supports multiple SessionStates , of which two are common:

1. In Process - here, the Web Server (Usually IIS) holds all Sessions in memory. If the IIS Service is restarted (Happens by default every 24 hours, not just when the system restarts!), All Sessions are wiped (that's why the cookie alone does not help). This scenario is default I believe and thus very common in single-server environments
2. SQL Server - here, the session data is stored in a SQL Server database. This isn't used that often though.
3. State Server. This seems really uncommon, so I'm omitting it.

Scenario 2 is your best bet, because you can just read the session id from the cookie and query the SQL Server database for the session info.

in Scenario 1, your approach is the correct one: You need help from the ASP.net Application, which can be a .aspx page. Make a request from PHP passing in the session cookie and check Session.SessionID and Session.IsNewSession to make sure the ID Matches and IsNewSession should be false - otherwise, ASP.net just recreated a new Session.

You may have to interact with the Session from the ASP.net page to activate it ( Session["PingFromPHP"] = true ) which may interfere with the ASP.net Application if your key (the name in the []-brackets) has the same name.

If the ASP.net Application is compiled, put the .aspx.cs file that serves as the code behind into a folder named App_Code , this should allow you to run it.

Hope that gets you started.

Answer 2

我不知道php，但是如果两个应用程序都在同一个域中，则您应该能够读取ASP.Net会话cookie并确定它是否已过期。因为cookie会出现在域中，而不是使用它的Web应用程序中，所以浏览器一定会随请求提供cookie。

Answer 3

This maybe isn't the right answer to this question.. but I found a fairly easy (slightly ugly) fix which was a bit of luck really..

I created a page called checksession.aspx and asp.net (or the iis app) automatically redirected that page to the login page if the session had expired. Using this with curl I can now just check whether I get a 302 redirect and if so I know that the session has expired.

Woot :)