Microsoft KB Archive/288121

= BUG: Posting Acceptor Causes ASP Session to Be Lost =

Article ID: 288121

Article Last Modified on 6/16/2006

-

APPLIES TO


 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q288121



SYMPTOMS
When Microsoft Posting Acceptor is used to upload files to Internet Information Server (IIS), Session state is lost.



CAUSE
Posting Acceptor is causing the Session cookie to be omitted when the cpshost.dll that is responsible for handling the file upload posts data to the repost URL. As a result, IIS sees the request as from a first-time caller and assigns it a new Session ID.



Workarounds
There are two possible workarounds for this problem:
 * Do not use session data or write all Session variables to Form variables on the page calling the Posting Acceptor and then rewrite them from the Repost page. In this event, the original session still uses memory on the server and eventually times out. This solution is not very robust or clean, and Microsoft does not recommended it.
 * A more robust workaround is to include a hidden form variable in the form that is used to upload the file that contains the user's ASP Session cookie. Then, in the onload event for the repost page, the cookie must be set again. While some browsers may be able to retrieve the correct Session cookie without this step, others never recover the session without it.

Note that Session data is not available in the server-side code for the repost URL because the cookie does not yet exist at that time. If Session data is needed on the Repost page, the page can redirect to another page immediately upon loading. However, until this bug is fixed in Posting Acceptor, the server-side code on the Repost page is not able to access Session data.

The following sample demonstrates the second workaround described previously. Keep in mind that Posting Acceptor needs to be installed on the server for the sample to work. Also, the proper permissions must be set on the directory referenced by the TargetURL form variable in the code in order for the upload to succeed.

For more information, see the articles listed in the &quot;References&quot; section of this article.   Paste the following code into a new ASP page, and save the page as UploadFile.asp in a directory that is accessible from your Web site. This directory should allow write access for the IUSR (or IWAM, if run out-of-process) account on the Web server, both with NT file system and Microsoft Internet Information Server (IIS) permissions: <%@ Language=VBScript%> <% ' Get the repost path for the page, because you have to have the fully qualified path for the upload to succeed. Dim strRepostPath strRepostPath = &quot;http://&quot; + Request.ServerVariables(&quot;SERVER_NAME&quot;) + Request.ServerVariables(&quot;URL&quot;) strRepostPath = Left(strRepostPath, InStrRev(strRepostPath, &quot;/&quot;)) %>   Session ID: <%=Session.SessionID%> RepostPage.asp&quot; method=&quot;post&quot; enctype=&quot;multipart/form-data&quot;> &quot;>  &quot;> File to upload:    function Submit {       // Find the ASP Session cookie and store it in the SessionCookie form variable. var sSC = new String(document.cookie); var iStartPos = sSC.indexOf(&quot;ASPSESSIONID&quot;); var iEndPos = sSC.indexOf(&quot;;&quot;, iStartPos); if (iEndPos == -1) iEndPos = sSC.length; sSC = sSC.substr(iStartPos, iEndPos - iStartPos); document.forms[0].SessionCookie.value = sSC; // And submit the form... document.forms[0].submit; }                     Paste the following code into another new file, and save the file with the name RepostPage.asp in the same location as the previous file: <%@ Language=VBScript %> <% ' Get the repost path for the page, because you have to have the fully qualified path for the redirection to succeed. ' This is because this page erroneously believes it is in the /Scripts virtual root ' of the site that was called by the cpshost.dll file in that directory. Dim strRepostPath strRepostPath = &quot;http://&quot; + Request.ServerVariables(&quot;SERVER_NAME&quot;) + Request.ServerVariables(&quot;URL&quot;) strRepostPath = Left(strRepostPath, InStrRev(strRepostPath, &quot;/&quot;)) %>  Session ID should be (and was): <%=Request.Form(&quot;SessionID&quot;)%> New (incorrect) session ID after post: <%=Session.SessionID%>

<script language=&quot;JavaScript&quot;> function FixBrokenSession {       document.cookie = &quot;<%=Request.Form(&quot;SessionCookie&quot;)%>;path=/&quot;; alert(&quot;Session has been restored!&quot;); alert(&quot;Now redirect to demonstrate fixed Session ID...&quot;); document.location.href = &quot;<%=strRepostPath%>SessionIsFixed.asp&quot;; }

<% ' Abandon this false session so that the server releases it immediately. Session.Abandon %>                   </li>  Paste the following code into a third new file, and save the file as SessionIsFixed.asp in the same location as the previous two files: <%@ Language=VBScript %> Fixed, original Session ID: <%=Session.SessionID%> </li> Finally, browse to the UploadFile.asp in your Internet browser, and upload a file. Note that you see the session lost and restored again. Remember that some browsers (Internet Explorer (IE), specifically) are capable of restoring the Session cookie simply by redirecting the URL. However, other browsers may not be able to do this, and lose the state of the Session unless the Session cookie is manually fixed.</li></ol>

<div class="status_section">

STATUS
Microsoft has confirmed that this is a bug in the Microsoft products that are listed at the beginning of this article.

<div class="moreinformation_section">

Steps to Reproduce Behavior
To reproduce this problem, use the preceding sample code but remove the FixBrokenSession function call from the onload event of the tag. The session is then lost.

<div class="references_section">