//
// Authors:
// Gonzalo Paniagua Javier (gonzalo@ximian.com)
-// Stefan Görling (stefan@gorling.se)
+// Stefan Görling (stefan@gorling.se)
// Jackson Harper (jackson@ximian.com)
//
-// (C) 2002,2003 Ximian, Inc (http://www.ximian.com)
-// (C) 2003 Stefan Görling (http://www.gorling.se)
-
+// Copyright (C) 2002-2006 Novell, Inc (http://www.novell.com)
+// (C) 2003 Stefan Görling (http://www.gorling.se)
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
-using System.Web;
+#if !NET_2_0
+using System.Web.Configuration;
using System.Web.Caching;
using System.Web.Util;
using System.Security.Cryptography;
+using System.Security.Permissions;
namespace System.Web.SessionState
{
+ // CAS - no InheritanceDemand here as the class is sealed
+ [AspNetHostingPermission (SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public sealed class SessionStateModule : IHttpModule
{
- internal static readonly string CookieName = "ASPSESSION";
- internal static readonly string HeaderName = "AspFilterSessionId";
+ internal const string CookieName = "ASPSESSION";
+ internal const string HeaderName = "AspFilterSessionId";
+ static object locker = new object ();
+#if TARGET_J2EE
+static private SessionConfig config {
+ get {
+ return (SessionConfig)AppDomain.CurrentDomain.GetData("SessionStateModule.config");
+ }
+ set {
+ AppDomain.CurrentDomain.SetData("SessionStateModule.config", value);
+ }
+ }
+ static private Type handlerType {
+ get {
+ return (Type)AppDomain.CurrentDomain.GetData("SessionStateModule.handlerType");
+ }
+ set {
+ AppDomain.CurrentDomain.SetData("SessionStateModule.handlerType", value);
+ }
+ }
+#else
static SessionConfig config;
static Type handlerType;
+#endif
ISessionHandler handler;
+ bool sessionForStaticFiles;
- private RandomNumberGenerator rng;
+ static RandomNumberGenerator rng = RandomNumberGenerator.Create ();
+ [SecurityPermission (SecurityAction.Demand, UnmanagedCode = true)]
public SessionStateModule ()
{
- rng = new RNGCryptoServiceProvider ();
}
internal RandomNumberGenerator Rng {
handler.Dispose();
}
- public void Init (HttpApplication app)
+ SessionConfig GetConfig ()
{
- if (config == null) {
+ lock (locker) {
+ if (config != null)
+ return config;
+
config = (SessionConfig) HttpContext.GetAppConfig ("system.web/sessionState");
if (config == null)
config = new SessionConfig (null);
+#if TARGET_J2EE
+ if (config.Mode == SessionStateMode.SQLServer || config.Mode == SessionStateMode.StateServer)
+ throw new NotImplementedException("You must use web.xml to specify session state handling");
+#else
if (config.Mode == SessionStateMode.StateServer)
handlerType = typeof (SessionStateServerHandler);
if (config.Mode == SessionStateMode.SQLServer)
handlerType = typeof (SessionSQLServerHandler);
-
+#endif
if (config.Mode == SessionStateMode.InProc)
handlerType = typeof (SessionInProcHandler);
- if (config.Mode == SessionStateMode.Off)
- return;
+ return config;
}
+ }
- if (config.CookieLess)
+ [EnvironmentPermission (SecurityAction.Assert, Read = "MONO_XSP_STATIC_SESSION")]
+ public void Init (HttpApplication app)
+ {
+ sessionForStaticFiles = (Environment.GetEnvironmentVariable ("MONO_XSP_STATIC_SESSION") != null);
+ SessionConfig cfg = GetConfig ();
+ if (handlerType == null)
+ return;
+
+ if (cfg.CookieLess)
app.BeginRequest += new EventHandler (OnBeginRequest);
-
- app.AddOnAcquireRequestStateAsync (
- new BeginEventHandler (OnBeginAcquireState),
- new EndEventHandler (OnEndAcquireState));
+ app.AcquireRequestState += new EventHandler (OnAcquireState);
app.ReleaseRequestState += new EventHandler (OnReleaseRequestState);
app.EndRequest += new EventHandler (OnEndRequest);
if (handlerType != null && handler == null) {
handler = (ISessionHandler) Activator.CreateInstance (handlerType);
- handler.Init (this, app, config); //initialize
+ handler.Init (this, app, cfg); //initialize
}
}
if (id == null)
return;
- context.Request.SetFilePath (UrlUtils.RemoveSessionId (base_path,
- context.Request.FilePath));
+ string new_path = UrlUtils.RemoveSessionId (base_path, context.Request.FilePath);
+ context.Request.SetFilePath (new_path);
context.Request.SetHeader (HeaderName, id);
+ context.Response.SetAppPathModifier (String.Concat ("(", id, ")"));
}
void OnReleaseRequestState (object o, EventArgs args)
{
}
- IAsyncResult OnBeginAcquireState (object o, EventArgs args, AsyncCallback cb, object data)
+ void OnAcquireState (object o, EventArgs args)
{
HttpApplication application = (HttpApplication) o;
HttpContext context = application.Context;
bool required = (context.Handler is IRequiresSessionState);
+
+ // This is a hack. Sites that use Session in global.asax event handling code
+ // are not supposed to get a Session object for static files, but seems that
+ // IIS handles those files before getting there and thus they are served without
+ // error.
+ // As a workaround, setting MONO_XSP_STATIC_SESSION variable make this work
+ // on mono, but you lose performance when serving static files.
+ if (sessionForStaticFiles && context.Handler is StaticFileHandler)
+ required = true;
+ // hack end
+
bool read_only = (context.Handler is IReadOnlySessionState);
bool isNew = false;
context.SetSession (session);
+ HttpRequest request = context.Request;
+ HttpResponse response = context.Response;
+ string id = context.Session.SessionID;
if (isNew && config.CookieLess) {
- string id = context.Session.SessionID;
- context.Request.SetHeader (HeaderName, id);
- context.Response.Redirect (UrlUtils.InsertSessionId (id,
- context.Request.FilePath));
+ request.SetHeader (HeaderName, id);
+ response.Redirect (UrlUtils.InsertSessionId (id, request.FilePath));
} else if (isNew) {
- string id = context.Session.SessionID;
HttpCookie cookie = new HttpCookie (CookieName, id);
- cookie.Path = UrlUtils.GetDirectory (context.Request.ApplicationPath);
+ cookie.Path = request.ApplicationPath;
context.Response.AppendCookie (cookie);
}
+
+ if (isNew)
+ OnSessionStart ();
}
-
- // In the future, we might want to move the Async stuff down to
- // the interface level, if we're going to support other than
- // InProc, we might actually want to do things async, now we
- // simply fake it.
- HttpAsyncResult result=new HttpAsyncResult (cb,this);
- result.Complete (true, o, null);
- if (isNew && Start != null)
- Start (this, args);
-
- return result;
}
- void OnEndAcquireState (IAsyncResult result) { }
-
- internal void OnSessionRemoved (string key, object value, CacheItemRemovedReason reason)
+ void OnSessionStart ()
{
- OnEnd ();
+ if (Start != null)
+ Start (this, EventArgs.Empty);
}
- internal void OnEnd ()
+ internal void OnSessionRemoved (string key, object value, CacheItemRemovedReason reason)
{
- if (End != null)
- End (this, EventArgs.Empty);
+ SessionConfig cfg = GetConfig ();
+
+ // Only invoked for InProc (see msdn2 docs on SessionStateModule.End)
+ if (cfg.Mode == SessionStateMode.InProc)
+ HttpApplicationFactory.InvokeSessionEnd (value);
}
public event EventHandler Start;
+
+ // This event is public, but only Session_[On]End in global.asax will be invoked if present.
public event EventHandler End;
}
}
+#endif