问题描述

首先，请不要忽略这个问题 - 我知道这是一个丑陋的情况，但嘿，现实生活不漂亮。

Firstly, please don't dismiss this question - I'm aware it's an ugly situation but hey, real life isn't pretty.

在asp.net中编写的web应用程序的额外部分，但是在php中 - 大部分是完成的（这两个部分在数据库之外并不真正地相互通信 - 集成大部分只是化妆）。

I'm developing an extra section to a web app that's written in asp.net, but in php - it's mostly done (the two parts don't really communicate with each other outside of a database - the integration is mostly just cosmetic.)

我所遇到的唯一问题是当.net会话过期时检测php部分，以便将用户记录下来并重定向到登录页面。

The only issue I have is detecting from the php part when the .net session has expired so that it logs the user out and redirects to the login page.

我相信asp.net应用程序是编译的，但是不允许修改它，所以我想可能最好的做法是做一个非常小/简单的aspx页面输出true或false，我可以使用curl从php（并传递浏览器的cookie）。

I believe the asp.net application is compiled, but either way I'm not allowed to alter it so I was thinking maybe the best thing to do would be to make a very small/simple aspx page that outputs true or false which I could call using curl from php (and passing the browser's cookies along.)

这可能吗？我不知道会话安全在asp.net上是如何工作的，例如，一个.net应用程序是否可以读取另一个会话变量，但如果它是什么像php那么它是可能的。

Would this even be possible? I'm not sure how session security works on asp.net eg whether one .net application can read another's session variables, but if it's anything like php then it'll be possible.

mypage.php --curl--> checksession.aspx --|
|                                        |
<----------- true / false <---------------

所以mypage使用curl发出一个GET（使用浏览器的cookie）到检查会话，checksession只返回true或false（或类似的东西），并且mypage重定向到

So mypage issues a GET (with cookies from browser) to checksession using curl, checksession simply returns a true or false (or something like that) and mypage redirects to the site's login page if that's false.

php端的身份验证已经整理出来，并且与此问题分开。

The authentication for the php side is already sorted out and is separate to this issue.

真的，我需要知道的是，我可以只有一个简单的.aspx文件，这样做检查，如果是这样，我去哪里去找到如何编写这样一个简单的页面？如果它只是一行或三，请你让我知道这些行是什么（我很抱歉，我从来没有做过任何.NET的东西..）

So really, what I need to know is can I have just a simple .aspx file that does this check, and if so where would I go to to find out how to program such a simple page? If it's just a line or three, please could you let me know what those lines would be (I'm sorry I've never done any .net stuff..)

如果这不可能，那么如果你不介意，你能提供一些替代解决方案吗？非常感谢！

If this isn't possible, then if you don't mind, could you provide some alternative solutions? Thanks!

- EDIT -

-- EDIT --

现在认为使用php在所有绕过这是一个坏主意。实际上有两个级别的身份验证（一个是正常的HTTP请求/响应登录类型的东西，然后是.net会话） - 除此之外，我完全错过了这一点，显然这些会话几乎肯定会被备份我需要欺骗的用户浏览器的IP或来自curl的将在服务器上运行的用户浏览器的IP。

After spending most of the day with this problem, I'm now thinking that using php at all to get around this is a bad idea. There's actually two levels of authentication involved (one is normal HTTP request/response login type thing, then there's the .net session) - on top of that I totally missed the point that obviously these sessions are almost certainly going to be backed up by the IP of the users browser which I'd have to spoof or something coming from curl as that'll be running on the server.

所以我想我要去在我的页面的头部使用jQuery检查和重定向的需要...某种程度：/

So I think I'm going to use jQuery somewhere in the header of my page to check and redirect as required...somehow :/

- 编辑2 -
好​​， javascript方式适合我的需求很好 - 显然它不是一个安全的方式做事情，但幸运的是，在这种情况下，它是确定，因为这只是一个应用程序使用的内部网（和他们验证用户的糟糕的方式是可怕的） / p>

-- EDIT 2 --Ok, so the javascript way has suited my needs pretty well - obviously it's not a secure way of doing things, but fortunately in this case it's ok as this is just an app used on the intranet (and the shoddy way they authenticate users is terrible anyway.)

推荐答案

这里有多种方法。首先，cookies本身不会做太多，因为会话可以在ASP.net过期，即使Cookie仍然活着。

There are multiple ways here. First of all, the cookies alone won't do much, because the session can be expired in ASP.net even though the Cookie is still alive.

ASP.net支持多个，其中两个是常见的：

ASP.net supports multiple SessionStates, of which two are common:

1. 正在处理 - 这里，Web服务器（通常为IIS）保存内存中的所有会话。如果IIS服务重新启动（缺省情况下每24小时发生一次，而不仅仅是当系统重新启动！），所有会话被擦除（这就是为什么单独的cookie不起作用）。这种情况是我相信的，因此在单服务器环境中非常常见


2. SQL Server - 这里，会话数据存储在SQL Server数据库中。这不是经常使用的。


3. 状态服务器。

场景2是你最好的选择，因为你可以只读会话ID从cookie和查询SQL Server数据库的会话信息。

Scenario 2 is your best bet, because you can just read the session id from the cookie and query the SQL Server database for the session info.

在方案1中，您的方法是正确的：您需要帮助从ASP.net应用程序，其可以是.aspx页面。通过PHP传递会话cookie中的请求，并检查和，以确保ID匹配和IsNewSession应该为false - 否则，ASP.net只是重新创建一个新的会话。

in Scenario 1, your approach is the correct one: You need help from the ASP.net Application, which can be a .aspx page. Make a request from PHP passing in the session cookie and check Session.SessionID and Session.IsNewSession to make sure the ID Matches and IsNewSession should be false - otherwise, ASP.net just recreated a new Session.

您可必须与ASP.net页面上的会话进行交互才能激活它（ Session [PingFromPHP] = true ），这可能会干扰如果您的密钥（[] -brackets中的名称）具有相同的名称，则使用ASP.net应用程序。

You may have to interact with the Session from the ASP.net page to activate it (Session["PingFromPHP"] = true) which may interfere with the ASP.net Application if your key (the name in the []-brackets) has the same name.

如果ASP.net应用程序已编译， .aspx.cs文件作为后缀到名为 App_Code

If the ASP.net Application is compiled, put the .aspx.cs file that serves as the code behind into a folder named App_Code, this should allow you to run it.

希望让你开始。