Development With A Dot

Blog on development in general, and specifically on .NET

Sponsors

News

My Friends

My Links

Permanent Posts

Portuguese Communities

Hijacking ASP.NET Sessions

So, you want to be able to access other user’s session state from the session id, right? Well, I don’t know if you should, but you definitely can do that! Smile

Here is an extension method for that purpose. It uses a bit of reflection, which means, it may not work with future versions of .NET (I tested it with .NET 4.0/4.5).

   1: public static class HttpApplicationExtensions
   2: {
   3:     private static readonly FieldInfo storeField = typeof(SessionStateModule).GetField("_store", BindingFlags.NonPublic | BindingFlags.Instance);
   4:  
   5:     public static ISessionStateItemCollection GetSessionById(this HttpApplication app, String sessionId)
   6:     {
   7:         var module = app.Modules["Session"] as SessionStateModule;
   8:  
   9:         if (module == null)
  10:         {
  11:             return (null);
  12:         }
  13:  
  14:         var provider = storeField.GetValue(module) as SessionStateStoreProviderBase;
  15:  
  16:         if (provider == null)
  17:         {
  18:             return (null);
  19:         }
  20:  
  21:         Boolean locked;
  22:         TimeSpan lockAge;
  23:         Object lockId;
  24:         SessionStateActions actions;
  25:  
  26:         var data = provider.GetItem(HttpContext.Current, sessionId.Trim(), out locked, out lockAge, out lockId, out actions);
  27:  
  28:         if (data == null)
  29:         {
  30:             return (null);
  31:         }
  32:  
  33:         return (data.Items);
  34:     }
  35: }

As you can see, it extends the HttpApplication class, that is because we need to access the modules collection, for the Session module.

Use with care!

Posted: Oct 18 2013, 11:11 AM by Ricardo Peres | with no comments
Filed under: , ,

Comments

No Comments