3

Is it possible to use ASP.NETs session state with URL like

http://myserver/somesite?sessionKey=thekey

The problem is, that I have to write a site for a client software which authenticates a user by a request like 

http://myserver/somesite?user=xyz&passwd=xyz

The client expects than to get a session key as result if the authentication was successful. This session key will then be used as variable in the query as shown above. The client does not support cookies.

How can I implement this behavior by using ASP.NET MVC 4?

P.S.: I know it is absolutly not the way to go but I am not in position to change the client.

Improve this question
2
  • Trust me, you don't want your name attached to code that is so insecure. You have a responsibility as a developer to protect people's account information, especially when you consider the same credentials are often used across several sites. Commented Nov 7, 2012 at 16:46
  • The session key in URL is OK. The password is really very weird. Commented Nov 7, 2012 at 16:50

1 Answer 1

Reset to default
1

If I do understand you correctly, you could just try it, right?

(We already met it, and it was a pain for searching engines)

<sessionState mode="InProc" timeout="5" cookieless="true" />

And I can say it is working The url generated instead of

"http://server/Product/en-GB/MyEntity"

is now:

"http://server/Product/(S(rxavnpuw05o3fmy3tjnuystr))/en-GB/MyEntity"

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Yes but the client will still try to access "http: // server/Product/en-GB/MyEntity?sessionKey=(S(rxavnpuw05o3fmy3tjnuystr))"
The style in which is URL generated is out of our hands. It is done before any MVC stuff is put in place. This is ASP.NET cookieless session handling. So, the ASP.NET sessions will always be preset to URL Routing, and evaluated before MVC starts to work
This is the problem I try to solve. Because the client expects to query every time the same address except the query variables.
I played with that so much... and it is not possible! Ok, as far as I know. We needed to change it as well, because google was storing the url with session cookie. But we did not succeeded. But still, only my private experience

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.