我在我的 ASP.Net 网站上使用 Yahoo Uploader(Yahoo UI 库的一部分)来允许用户上传文件。对于那些不熟悉的人, uploader 通过使用 Flash 小程序来让我更好地控制 FileOpen 对话框。我可以为文件类型指定一个过滤器,允许选择多个文件等。它很棒,但它有以下记录的限制:
Because of a known Flash bug, the Uploader running in Firefox in Windows does not send the correct cookies with the upload; instead of sending Firefox cookies, it sends Internet Explorer’s cookies for the respective domain. As a workaround, we suggest either using a cookieless upload method or appending document.cookie to the upload request.
因此,如果用户使用 Firefox,我不能依赖 cookie 在他们上传文件时保持他们的 session 。我需要他们的 session ,因为我需要知道他们是谁!作为解决方法,我正在使用 Application 对象:
Guid UploadID = Guid.NewGuid();
Application.Add(Guid.ToString(), User);
因此,我创建了一个唯一 ID,并将其用作在应用程序范围内存储 Page.User 对象的键。上传文件时,我将该 ID 作为变量包含在 POST 中。然后,在接受文件上传的处理程序中,我这样抓取用户对象:
IPrincipal User = (IPrincipal)Application[Request.Form["uploadid"]];
这确实有效,但它有两个明显的缺点:
如果在用户访问上传页面和实际上传文件之间重新启动 IIS、应用程序池或什至只是应用程序,则它们的“uploadid”将从应用程序范围中删除并且上传失败,因为我无法验证它们。
如果我扩展到网络农场(甚至可能是网络花园)场景,这将完全崩溃。我可能并不担心,但我确实计划在未来扩展此应用。
谁有更好的办法?有没有办法在 POST 变量中传递实际的 ASP.Net session ID,然后在另一端使用该 ID 检索 session ?
我知道我可以通过 Session.SessionID 获取 session ID,我知道如何使用 YUI 将其发布到下一页。我不知道的是如何使用 SessionID 从状态服务器获取 session 。
是的,我正在使用状态服务器来存储 session ,因此它们会持续应用程序/IIS 重新启动,并将在网络场场景中工作。
最佳答案
Here是来自 SWFUpload 的维护者的帖子这解释了如何从存储在 Request.Form 中的 ID 加载 session 。我想同样的事情也适用于 Yahoo 组件。
请注意帖子底部的安全免责声明。
By including a Global.asax file and the following code you can override the missing Session ID cookie:
using System;
using System.Web;
public class Global_asax : System.Web.HttpApplication
{
private void Application_BeginRequest(object sender, EventArgs e)
{
/*
Fix for the Flash Player Cookie bug in Non-IE browsers.
Since Flash Player always sends the IE cookies even in FireFox
we have to bypass the cookies by sending the values as part of the POST or GET
and overwrite the cookies with the passed in values.
The theory is that at this point (BeginRequest) the cookies have not been ready by
the Session and Authentication logic and if we update the cookies here we'll get our
Session and Authentication restored correctly
*/
HttpRequest request = HttpContext.Current.Request;
try
{
string sessionParamName = "ASPSESSID";
string sessionCookieName = "ASP.NET_SESSIONID";
string sessionValue = request.Form[sessionParamName] ?? request.QueryString[sessionParamName];
if (sessionValue != null)
{
UpdateCookie(sessionCookieName, sessionValue);
}
}
catch (Exception ex)
{
// TODO: Add logging here.
}
try
{
string authParamName = "AUTHID";
string authCookieName = FormsAuthentication.FormsCookieName;
string authValue = request.Form[authParamName] ?? request.QueryString[authParamName];
if (authValue != null)
{
UpdateCookie(authCookieName, authValue);
}
}
catch (Exception ex)
{
// TODO: Add logging here.
}
}
private void UpdateCookie(string cookieName, string cookieValue)
{
HttpCookie cookie = HttpContext.Current.Request.Cookies.Get(cookieName);
if (cookie == null)
{
HttpCookie newCookie = new HttpCookie(cookieName, cookieValue);
Response.Cookies.Add(newCookie);
}
else
{
cookie.Value = cookieValue;
HttpContext.Current.Request.Cookies.Set(cookie);
}
}
}
Security Warning: Don't just copy and paste this code in to your ASP.Net application without knowing what you are doing. It introduces security issues and possibilities of Cross-site Scripting.
关于c# - 我可以将 ASP.Net session ID 放在隐藏的表单字段中吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/43324/