Ext.Direct and HTTP sessions

[westy]

Hi,

I hope I'm going mad, but I suspect not.

I'm calling Ext.Direct methods, and getting different session ids each time!

Using IIS7, and a tweaked version of Evan's Ext.Direct router.
Each action class implements IReadOnlySessionState.

Server-side (simplifed):

Code:

[DirectAction()]
public class MyHandler : DirectHandler, IReadOnlySessionState
{
    [DirectMethod("getSessionId")]
    public string GetSessionId()
    {
        return HttpContext.Current.Session.SessionID;
    }
}

Client-side:

Code:

            var repeatCount = 20;

            var func = function(counter) {
                MyHandler.getSessionId(
                    function(response, e) {
                        if (e.status) {
                            me.update(Ext.String.format('{0}<br/>SessionId{1}: {2}', me.html, counter, Ext.isEmpty(response) ? '<empty>' : response));
                        } else {
                            me.update(Ext.String.format('{0}<br/>Exception{1}: {2}', me.html, counter, e.message));
                        }

                        if (counter < repeatCount) {
                            func(++counter);
                        }
                    }
                );
            }

            func(1);

Output:

Code:

SessionId1: rbfqlb55iyowcp45oly11w55
SessionId2: cy0gwvu0sivxax555jochdfm
SessionId3: mmxizyia2crhla45aowtf4ft
SessionId4: y5lqv345m2fanp554v0batrf
SessionId5: cshgms5503i4hs55yzi0t155
SessionId6: zwmaxfjvu2qkueuxpds1bem4
SessionId7: vxwh2dynkdwpkeyt3e5j4y45
SessionId8: omsbawv042eju155ebt2gr2i
SessionId9: dsa31dz5eys2gd45qrmtmn55
SessionId10: 3ac1lv55te0odk55ii0poz45
SessionId11: sekf1w452rzbq52zji4hrn45
SessionId12: trabhsugqt3rsf55w55arn2s
SessionId13: z4tk1y3wiqonftejpa0nddri
SessionId14: cq1vqaznudfclq553q10syq1
SessionId15: ksylrcawjx23j3555es3qrnq
SessionId16: oiju1h452uywvy45cecju245
SessionId17: lkfljwnk0rvgt52f1ikemorm
SessionId18: a453sinrbasaws55yiwbc545
SessionId19: fghs0p55zymu1vywh4vg5a55
SessionId20: j0sa05efxicc40bo3qwoyl2y

Am I missing something?

Please help, session data is crucial to our authentication mechanism!

Cheers,
Westy

[westy]

Hmm, from extensive googling it seems that all calls to a IHttpHandler get a new session.

There must be a way around this!

[westy]

Can't help think that it's something to do with the ASP.NET_SessionId cookie.

Does Ext store the session id returned by the server, and pass it back in with subsequent requests?

Does the same thing happen with standard Ajax requests (that'll be my next test I think)?
It certainly didn't when I used Ext 2 and standard HTTP post/get asmx web services or JayRock services.

[westy]

Seems that response cookie is set to pass back the aspnet session but something is then striping it.
I'll keep looking...

[westy]

Sorted it, eventually.

Went through process of creating my own cookies, verifying they work, using them to restore my session etc.

Lots of head scratching and experimentation later and I've come to the conclusion that the IReadOnlySessionState implementation is bugged, you need to use IRequiresSessionState if you require a persistent session id.

Odd, because sure that was one of the the first things I tried...

Oh, also spotted that if you have an IIS application within another one you cannot change the stateServer settings in the child.

Hope this helps someone else, since has been doing my head in

Cheers,
Westy

[westy]

LOL, just broke it again whilst preparing to check-in!

It seems that if you have no Global.asax for your web service project (even an empty one) then the session cookie is not sent back.

Grrr!

PS: Heh, damn caching. You also have to write something to session data in Session_Start, e.g. HttpContext.Current.Session[Guid.NewGuid().ToString()] = 0;

[steffenk]

while you're discussing with yourself i still don't get the purpose of the session thingy inside the calls.
I use session handling in BE application, but you're talking of the cookie transferred with the call?

[westy]

Haha, yeah, this is kind of like my own private blog at times

The point is that I use the session id to lookup a authentication token in a database. I need the session id to persist between calls to avoid the user having to authenticate for every call made.

The way ASP.Net handles sessions is to send a cookie in the initial response, which is echoed back to the server on subsequent calls so the session can be restored. Each hit extends the life of the session.

I've got it working fine now, and as I say I only need the session id itself. I don't need to store anything in session data, and always think that the need to do so indicates a flawed design somewhat.

Thanks for chipping in

Westy

[steffenk]

Westy, i think this is dangerous, i never would rely on this. It gives a possible attacker the possibility to use these id to hack in without auth.

i have the same problem in TYPO3 where each request is expensive because of the auth process (each request does a complete init process of the BE). We additionally used ExtDirect to use a securityToken with CSRF to ensure noone can catch the session. The token itself gets stored in the user session.

For ExtJS we generate one token per instance and render it as variable. This token has to be added to each request and this validates.
Again i never would use it for auth

[westy]

I don't intend on going into the complete detail of our authentication mechanism suffice to say it's very much like Kerberos, with multiple short-lived tokens that are exchanged over HTTPS; one to prove who the user is, and another to get access to a service given a valid user token.

It is very unlikely anyone could steal a users session given that they'd need the session id and IP.

Thanks again for your input.


PS: I also believe ASP.Net has protection around its session, meaning they are bound to the caller.