Geek Answers Handbook

User session id as parameter in Ajax call

I created an HttpHandler which I will use with jquery-Ajax call.

This HttpHandler will access the database and check for something that is currently being recorded by the user .

A user is considered signed using a session with the user_id attribute.

Session["user_id"] = userId;

I tried to fetch this session in HttpHandler but it doesn't seem to work.

So, I was thinking about sending user_id as a parameter .

  var user_id = //Retrieved in some way... $.ajax({ url: 'QuestionRate.ashx?id=user_id', success: function (msg, status, xhr) { alert(msg); }, error: function () { alert(msg); } });

But it really seems like a bad idea, anyone who reads the codes can just access the Handler with the identifier that he wants.

So what can I do in this situation? I want the handler to get user_id to access the database, but I want to make sure that this user_id is the actual identifier of the signed user. There is no way to access the session in the handler?

+4
source share
3 answers

Passing a session id using an ajax call is not very good.

You must mark the handler with the IReadOnlySessionState marker and access the session as read-only through the HttpContext.Current.Session instance.

Code example:

 public class FooHandler : IHttpHandler, IReadOnlySessionState { public bool IsReusable { get { return false; } } public void ProcessRequest(HttpContext context) { string user_id = context.Session["user_id"].ToString(); } }
+6
source

Make your IRequiresSessionState handler that notifies ASP.NET that your handler is using session state. Then the session cookie sent from the client will be recognized by the handler, and you can access it on the server, for example, on any other aspx page.

You can also use IReadOnlySessionState to access a read-only session.

+2
source

What you need to do is turn it into POST and add it to the POST data. Then, in combination with the SSL key, the POST data will be automatically encrypted. So you can try:

 var user_id = //Retrieved in some way... $.ajax({ type: "POST" url: 'QuestionRate.ashx', data: { userid: user_id } success: function (msg, status, xhr) { alert(msg); }, error: function () { alert(msg); } });

then in your HTTP handler you can simply disable this using the Request object.

jQuery AJAX API

+1
source

More articles:


All Articles