Those of us who have classic asp legacy sites may have noticed something disconcerting in dealing with this: there is no way to disable session cookies in asp on a per-request basis. You can disable asp sessions altogether for your entire application, and there is an option to disable the session for a single page (but session cookies will still be sent ). Your configuration may be different, but for what it's worth, here's what has worked for us:
You'll need:
- ASP.NET on your server,
- IIS 7 or higher, and
- your application pool in integrated mode
The more perceptive of you will have already figured out where this is going. I am simply going to have ASP.NET remove the cookies the asp handler generates. I wrote a class CookieMonsterModule (because it eats cookies, see?) that checks for a custom header, and removes the cookies if it can't find that header:
using System;
using System.Web;
namespace Tabeoka.CookieMonster
{
public class CookieMonsterModule : IHttpModule
{
public void Dispose() { }
public void Init(HttpApplication context)
{
context.PostRequestHandlerExecute += new EventHandler(CheckEnableCookies);
}
public static void CheckEnableCookies(object sender, EventArgs e)
{
var response = HttpContext.Current.Response;
if (!"true".Equals(response.Headers["enablecookies"]))
{
// Yum Yum
response.Headers.Remove("SET-COOKIE");
}
}
}
}
As you can see, all you need to have cookies make it through, is set the 'enablecookies' header to true:
<%@Language=Javascript %>
<%
Response.AddHeader("enablecookies", "true");
%>
I have made a neat little package at http://www.tabeoka.be/downloads/ClassicAspCookieMonster.zip . It includes a minimal web.config that loads the httpmodule, and the dll itself. You can just copy it into the root of your classic asp app, and start using it (given your configuration meets the requirements). Feel free to take the idea and run with it.
Menno
No comments:
Post a Comment