I was wondering if it's possible to get the session id of a session with jQuery ? And if so, how do I do that, can't seem to find it on jquery.com
-
Could doing this introduce a security vulnerability?frenchie– frenchie2012-05-25 08:58:20 +00:00Commented May 25, 2012 at 8:58
-
@frenchie, how would it do that? Session id is already available in your cookie or in a querystring.walther– walther2012-05-25 09:30:51 +00:00Commented May 25, 2012 at 9:30
-
@walther: if it's stored in the cookie, only the app running on the page can read it. However, if you start accessing it from the page, now it's also stored in the page's variables, which may become accessible to unwanted code. I'm not 100% sure, but the more you touch security-related issues, the more likely you are of opening a vulnerability.frenchie– frenchie2012-05-25 09:35:39 +00:00Commented May 25, 2012 at 9:35
-
@frenchie, "accessible from unwanted code"? Care to elaborate on that? If there is some malicious script on the page (thanks to disabled asp.net security for instance), it has already an access to your session id, because it's still a javascript and that runs on the client - browser. The only problem I could think of at the moment is session stealing, but not sure how would that be more possible in this situation. If you have some sensitive information (like a banking system), your best bet is always to use SSL (it's pretty much a necessity then anyway). Just my opinion...walther– walther2012-05-25 09:41:57 +00:00Commented May 25, 2012 at 9:41
Add a comment
|
2 Answers
session ID is stored either in cookies or in query string (depending on browser capabilites or asp.net configuration). Find where your session id is and read it from there
1 Comment
Rory McCrossan
While this may work - is the session cookie not encoded in some manner?
You cannot do it in jQuery alone as it is client-side only and cannot talk to the server to get the sessionID.
The workaround is to create a webservice which returns the session id in XML/JSON format, which you can call from an AJAX request in jQuery.
Something like this:
$.ajax({
url: "/mywebservice.asmx",
dataType: "json",
success: function(data) {
var sessionId = data.sessionId; // This would be determined by your server-side implementation
// do something with the sessionId...
}
});
5 Comments
walther
Interesting. Always thought that session id is stored in cookies or querystring... When did this change?
Rory McCrossan
@walther It is, but I believe it is encoded, therefore cannot be read directly from jQuery. I may be wrong though - wouldn't be the first time ;)
Esben Skov Pedersen
Why make a seperate request for this? Just include it in the page if you want to do this
Rory McCrossan
@EsbenSkovPedersen A very good point, the OP did ask for a jQuery method though, presumably because he requires the session id in a
.js file which won't be interpreted.walther
If it is stored in a cookie or url, you can read it from jquery. Even if it was encoded in some way, why would it matter? It's still the same sequence of 20 characters representing the 120-bit random number.