asp.net 1.1 no Cookie SessionID rewrite

Asp.net|cookie|session

The browser's session is identified by using a unique identifier stored in the SessionID property. The session ID enables the ASP.net application to associate a particular browser with the session data and information associated with the WEB server. The value of the session ID is transmitted through a cookie between the browser and the Web server, and is transmitted through a URL if no cookie session is specified.

ASP.net maintains a Cookie-free session state by automatically inserting a unique session ID into the page's URL. For example, the following URL has been ASP.net modified to include a unique session ID LIT3PY55T21Z5V55VLM25S55:

http://www.example.com/s (LIT3PY55T21Z5V55VLM25S55)/orderform.aspx

If a link containing no Cookie SessionID is shared by multiple browsers (possibly through a search engine or another program), this behavior can cause accidental sharing of session data. You can reduce the likelihood of multiple clients sharing session data by disabling the collection of Session identifiers. To do this, set the regenerateExpiredSessionId property of the sessionstate configuration element to true. In this way, a new session ID is generated when a Cookie-free session request is initiated using a session ID that has expired.
                                                                                                                                     --Excerpt from MSDN

. In NET2.0, we can change the generation mechanism and authentication method of the SessionID by rewriting the SessionIDManager class to prevent accidental sharing of session data (that is, multiple browsers are identified as the same session, share a conversation), and can be found in the. There are no classes in the NET1.1 that allow us to change the SessionID generation mechanism (encapsulated dead), but inspired by an article, we can process it after SessionID generation. The article is written by foreigners, because I have limited ability to read, I can not have time to see a large version of the eagle, directly under the code to see. Fortunately, the code is not much, the idea is very clear, probably understand his implementation of rewriting SessionID principle, I changed in the cookie-free session of the perfect implementation.

Related code

Using System;
Using System.Web;
Using System.Web.SessionState;
Using System.Web.Security;
Using System.Configuration;
Using System.Security.Cryptography;
Using System.Runtime.Serialization;
Using System.Globalization;
Using System.Text;

public class Securesessionmodule:ihttpmodule
{
private static string _validationkey = null;

public void Init (HttpApplication app)
{
if (_validationkey = null)
_validationkey = Getvalidationkey ();
App. Acquirerequeststate+=new EventHandler (app_acquirerequeststate);
}

void App_acquirerequeststate (Object sender, EventArgs e)
{
_validationkey=getvalidationkey ()//daily generate a key to improve security

HttpContext current = ((HttpApplication) sender). context;

To have the processed SessionID present in session["Asp.net_sessionid"]
String SessionID = GetSession (Current, "Asp.net_sessionid");

if (SessionID!= null)
{
if (SessionID. Length <= 24)
RedirectURL (current);

String id = SessionID. Substring (0, 24);
String mac1 = SessionID. Substring (24);

String MAC2 = Getsessionidmac (ID, current. Request.userhostaddress, current. Request.useragent, _validationkey);

           //User Client information changes, compared to failure
             if (string.compareordinal (MAC1, MAC2)!= 0)
             {
                 RedirectURL (current);
           }
       }
        Else
        {
             RedirectURL (current);
       }
   }

private void RedirectURL (HttpContext current)
{
redirect page to regenerate new SessionID
Current. Response.Redirect (current. Request.Url.ToString (), true);
}

private String Getvalidationkey ()
{
String key = DateTime.Now.ToShortDateString ();

Return key;
}

    private String GetSession (HttpContext current, string name)
    {
 & nbsp;      Object id = findsession (current. Session,name);
        if (id = = NULL)
        {
           //Encryption of User client information is stored in session to compare to
             id= Current. Session.sessionid+getsessionidmac (current. Session.SessionID, current. Request.userhostaddress,
                 Current. Request.useragent, _validationkey);
            Current. session[name]  = ID;
       }
        return ID. ToString ();
   }

Private Object Findsession (httpsessionstate session, string name)
{
return Session[name];
}

private string Getsessionidmac (string id, string IP, string agent, String key)
{
StringBuilder builder = new StringBuilder (ID, 512);
Builder. Append (IP);
Builder. Append (agent);

using (HMACSHA1 HMAC = new HMACSHA1 (Encoding.UTF8.GetBytes (key))
{
Return Convert.tobase64string (Hmac.computehash (
Encoding.UTF8.GetBytes (builder. ToString ()));
}
}
public void Dispose () {}
}

The related configuration is as follows:

<configuration>
<system.web>
<add name= "securesession" type= "Securesessionmodule,securesessionmodule"/>
</system.web>
</configuration>

After reading the code, you will know that the principle is that it is not possible to have the same IP computer clients simultaneously access a server, when the same sessionid, but their client information does not automatically redirect the latter access client to create a new session.

Unfortunately, in the application of WAP has a problem, because the client information does not have IP unique identity (mobile phone number information), so if the same type of mobile phone access can not distinguish, I do not know which person has no better solution, but also hope that the generous enlighten