swe*_*ver 12 iis cookies session iis-6 asp-classic
我有一个经典的asp页面的问题,我从3天后就无法解决它.
该页面正在使用Sessions - 有时会发生ASPSESSIONID cookie在Request.ServerVariables("HTTP_COOKIE")中设置两次.这会导致ASP页面在刷新页面时在两个Sessions之间跳转.
我编写了一个测试页面,输出当前的SessionId,服务器软件和HTTP_COOKIE值.
样本输出:
会议ID:308542840
会话超时:20分钟
服务器软件:Microsoft-IIS/6.0
HTTP_COOKIE:ASPSESSIONIDQCBATRAD = MBHHDGCBGGBJBMAEGLDAJLGF; ASPSESSIONIDQCCDTTCB = PGHPDGCBPLKALGGKIPOFIGDM
为什么有两个ASPSESSIONID?当我刷新页面时,它随机输出两个会话ID中的一个.
这是一个在IE9中显示问题的截屏视频:http: //prinz-alexander.at/asp_test.avi
此错误通常发生在ie8和ie9中.
只需执行以下操作即可重新创建问题:
如果您重复此步骤,则随机(并非总是)HTTP_COOKIE将填充两个不同的ASPSESSIONID.
asp测试文件只输出mentiod值,源代码中没有其他任何内容.
这是asp测试文件的代码:
<% If trim(Session("test_val")) = "" Then
Dim my_num
Randomize
number = Int((rnd*1000))+1
Session("test_val") = number
End If
%>
<b>Session ID:</b>
<% response.write(Session.SessionId) %><br /><br />
<b>Session("test_val"):</b>
<% response.write(Session("test_val")) %><br /><br />
<b>Session Timeout:</b>
<% response.write(Session.Timeout) %> minutes<br /><br />
<b>Server Software:</b>
<% response.write(Request.ServerVariables("SERVER_SOFTWARE")) %><br /> <br />
<b>HTTP_COOKIE:</b> <% response.write(Request.ServerVariables("HTTP_COOKIE")) %>
如何在Cookie中避免多个ASPSESSIONIds?
谢谢你的帮助!
我能够用Javascript删除这些cookie.
只需将下一个脚本添加到登录页面的末尾即可.这将在用户登录网站之前删除所有"ASPSESSIONIDXXXXXXX"cookie:
<script type="text/javascript">
//Clear any session cookies
(function(){
var cookiesArr = document.cookie.split("; ");
for (var i = 0; i < cookiesArr.length; i++) {
var cItem = cookiesArr[i].split("=");
if (cItem.length > 0 && cItem[0].indexOf("ASPSESSIONID") == 0) {
deleteCookie(cItem[0]);
}
}
function deleteCookie(name) {
var expDate = new Date();
expDate.setTime(expDate.getTime() - 86400000); //-1 day
var value = "; expires=" + expDate.toGMTString() + ";path=/";
document.cookie = name + "=" + value;
}
})();
</script>
您可以使用 URL Rewrite mod 在设置会话 cookie 时对其进行重命名,并使用入站重写规则将其再次还原。当会话名称 ID 更改时会出现多个会话 cookie,但是通过为会话 cookie 提供一个集合名称并将 ID 包含在 cookie 本身中,一次将只会有一个会话 cookie。
在 web.config 中使用这些重写规则来更改
ASPSESSIONIDXXXXXXXX=YYYYYYYYYYYYYYYYYYYYYYYY
进入
session=XXXXXXXX/YYYYYYYYYYYYYYYYYYYYYYYY
然后在入站请求中再次将其还原(因此它仍然可以被 IIS 读取):
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<clear />
<!-- "HTTP_COOKIE" must be added to the "allowed server variables" in IIS under URLRewrite -->
<rule name="session cookie revert">
<match url="(.*)" />
<conditions>
<add input="{HTTP_COOKIE}" pattern="(.*)session=([0-9a-zA-Z]+)\/([0-9a-zA-Z]+)(.*)" />
</conditions>
<serverVariables>
<set name="HTTP_COOKIE" value="{C:1}ASPSESSIONID{C:2}={C:3}{C:4}" />
</serverVariables>
<action type="None" />
</rule>
</rules>
<outboundRules>
<rule name="session cookie rewrite">
<match serverVariable="RESPONSE_Set_Cookie" pattern="ASPSESSIONID([0-9a-zA-Z]+)=([0-9a-zA-Z]+)(.*)" negate="false" />
<!-- Set the session cookie as HttpOnly during the rewrite. Classic ASP doesn't
do this by default, but it's important for preventing XSS cookie stealing.
You could also add "; Secure" if you only want the session cookie to be passed
over an SSL connection, although this also means the cookie can only be set over
an SSL connection too, which could be a problem when testing on localhost. -->
<action type="Rewrite" value="session={R:1}/{R:2}{R:3}; HttpOnly" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
pol*_*lin -2
您已在用户会话中分配了一个值。尝试像这样获取会话并为每个用户分配不同的唯一值
<%
Session("test") = "test value"
a=Session("test")
response.Write(a)
%>
| 归档时间: |
|
| 查看次数: |
16276 次 |
| 最近记录: |