Gelmiş geçmiş en büyük porno sitemiz olan 2pe de her zaman en kaliteli pornoları sunmayı hedefledik. Diğer video sitemiz olan vuam da ise hd porno ağırlıklı çalışmalara başladık.

  1. #1
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default Ext.Direct and HTTP sessions

    Ext.Direct and HTTP sessions


    Hi,

    I hope I'm going mad, but I suspect not.

    I'm calling Ext.Direct methods, and getting different session ids each time!

    Using IIS7, and a tweaked version of Evan's Ext.Direct router.
    Each action class implements IReadOnlySessionState.

    Server-side (simplifed):
    Code:
    [DirectAction()]
    public class MyHandler : DirectHandler, IReadOnlySessionState
    {
        [DirectMethod("getSessionId")]
        public string GetSessionId()
        {
            return HttpContext.Current.Session.SessionID;
        }
    }
    Client-side:
    Code:
                var repeatCount = 20;
    
                var func = function(counter) {
                    MyHandler.getSessionId(
                        function(response, e) {
                            if (e.status) {
                                me.update(Ext.String.format('{0}<br/>SessionId{1}: {2}', me.html, counter, Ext.isEmpty(response) ? '<empty>' : response));
                            } else {
                                me.update(Ext.String.format('{0}<br/>Exception{1}: {2}', me.html, counter, e.message));
                            }
    
                            if (counter < repeatCount) {
                                func(++counter);
                            }
                        }
                    );
                }
    
                func(1);
    Output:
    Code:
    SessionId1: rbfqlb55iyowcp45oly11w55
    SessionId2: cy0gwvu0sivxax555jochdfm
    SessionId3: mmxizyia2crhla45aowtf4ft
    SessionId4: y5lqv345m2fanp554v0batrf
    SessionId5: cshgms5503i4hs55yzi0t155
    SessionId6: zwmaxfjvu2qkueuxpds1bem4
    SessionId7: vxwh2dynkdwpkeyt3e5j4y45
    SessionId8: omsbawv042eju155ebt2gr2i
    SessionId9: dsa31dz5eys2gd45qrmtmn55
    SessionId10: 3ac1lv55te0odk55ii0poz45
    SessionId11: sekf1w452rzbq52zji4hrn45
    SessionId12: trabhsugqt3rsf55w55arn2s
    SessionId13: z4tk1y3wiqonftejpa0nddri
    SessionId14: cq1vqaznudfclq553q10syq1
    SessionId15: ksylrcawjx23j3555es3qrnq
    SessionId16: oiju1h452uywvy45cecju245
    SessionId17: lkfljwnk0rvgt52f1ikemorm
    SessionId18: a453sinrbasaws55yiwbc545
    SessionId19: fghs0p55zymu1vywh4vg5a55
    SessionId20: j0sa05efxicc40bo3qwoyl2y
    Am I missing something?

    Please help, session data is crucial to our authentication mechanism!

    Cheers,
    Westy

  2. #2
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    Hmm, from extensive googling it seems that all calls to a IHttpHandler get a new session.

    There must be a way around this!

  3. #3
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    Can't help think that it's something to do with the ASP.NET_SessionId cookie.

    Does Ext store the session id returned by the server, and pass it back in with subsequent requests?

    Does the same thing happen with standard Ajax requests (that'll be my next test I think)?
    It certainly didn't when I used Ext 2 and standard HTTP post/get asmx web services or JayRock services.

  4. #4
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    Seems that response cookie is set to pass back the aspnet session but something is then striping it.
    I'll keep looking...

  5. #5
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    Sorted it, eventually.

    Went through process of creating my own cookies, verifying they work, using them to restore my session etc.

    Lots of head scratching and experimentation later and I've come to the conclusion that the IReadOnlySessionState implementation is bugged, you need to use IRequiresSessionState if you require a persistent session id.

    Odd, because sure that was one of the the first things I tried...

    Oh, also spotted that if you have an IIS application within another one you cannot change the stateServer settings in the child.

    Hope this helps someone else, since has been doing my head in

    Cheers,
    Westy

  6. #6
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    LOL, just broke it again whilst preparing to check-in!

    It seems that if you have no Global.asax for your web service project (even an empty one) then the session cookie is not sent back.

    Grrr!

    PS: Heh, damn caching. You also have to write something to session data in Session_Start, e.g. HttpContext.Current.Session[Guid.NewGuid().ToString()] = 0;

  7. #7
    Sencha User steffenk's Avatar
    Join Date
    Jul 2007
    Location
    Haan, Germany
    Posts
    2,656
    Vote Rating
    6
    steffenk has a spectacular aura about steffenk has a spectacular aura about steffenk has a spectacular aura about

      0  

    Default


    while you're discussing with yourself i still don't get the purpose of the session thingy inside the calls.
    I use session handling in BE application, but you're talking of the cookie transferred with the call?
    vg Steffen
    --------------------------------------
    Release Manager of TYPO3 4.5

  8. #8
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    Haha, yeah, this is kind of like my own private blog at times

    The point is that I use the session id to lookup a authentication token in a database. I need the session id to persist between calls to avoid the user having to authenticate for every call made.

    The way ASP.Net handles sessions is to send a cookie in the initial response, which is echoed back to the server on subsequent calls so the session can be restored. Each hit extends the life of the session.

    I've got it working fine now, and as I say I only need the session id itself. I don't need to store anything in session data, and always think that the need to do so indicates a flawed design somewhat.

    Thanks for chipping in

    Westy

  9. #9
    Sencha User steffenk's Avatar
    Join Date
    Jul 2007
    Location
    Haan, Germany
    Posts
    2,656
    Vote Rating
    6
    steffenk has a spectacular aura about steffenk has a spectacular aura about steffenk has a spectacular aura about

      0  

    Default


    Westy, i think this is dangerous, i never would rely on this. It gives a possible attacker the possibility to use these id to hack in without auth.

    i have the same problem in TYPO3 where each request is expensive because of the auth process (each request does a complete init process of the BE). We additionally used ExtDirect to use a securityToken with CSRF to ensure noone can catch the session. The token itself gets stored in the user session.

    For ExtJS we generate one token per instance and render it as variable. This token has to be added to each request and this validates.
    Again i never would use it for auth
    vg Steffen
    --------------------------------------
    Release Manager of TYPO3 4.5

  10. #10
    Ext JS Premium Member westy's Avatar
    Join Date
    Feb 2009
    Location
    Bath, UK
    Posts
    835
    Vote Rating
    38
    westy is a jewel in the rough westy is a jewel in the rough westy is a jewel in the rough

      0  

    Default


    I don't intend on going into the complete detail of our authentication mechanism suffice to say it's very much like Kerberos, with multiple short-lived tokens that are exchanged over HTTPS; one to prove who the user is, and another to get access to a service given a valid user token.

    It is very unlikely anyone could steal a users session given that they'd need the session id and IP.

    Thanks again for your input.


    PS: I also believe ASP.Net has protection around its session, meaning they are bound to the caller.

Similar Threads

  1. Adding HTTP Headers to Direct Requests
    By dancablam in forum Ext.Direct
    Replies: 2
    Last Post: 10 Jun 2013, 5:24 AM
  2. Ext.Direct call sending an HTTP OPTIONS cmd
    By ykoehler in forum Ext.Direct
    Replies: 5
    Last Post: 5 Jun 2013, 10:18 PM
  3. Sessions problem
    By Estefan in forum Ext 2.x: Help & Discussion
    Replies: 0
    Last Post: 23 Mar 2010, 8:05 AM
  4. sessions: from php to extjs & php
    By sicher in forum Ext 2.x: Help & Discussion
    Replies: 1
    Last Post: 9 Apr 2009, 7:16 AM
  5. Handling Sessions
    By acontreras in forum Ext 2.x: Help & Discussion
    Replies: 0
    Last Post: 9 Jan 2008, 11:25 AM

Thread Participants: 1

Tags for this Thread