Hijacking Sessions to support legacy applications.

So here's the scenario. Server A is a legacy ASP application that is currently being phased out. Server B is a fancy new ASP.NET application that takes HTML data and converts it to a PDF.

The Client wants Server A to print some data in a report. Server A refers the Client over to Server B. Server B wants to get the HTML data from Server A and then return the PDF output to the client.

The only problem with the whole setup is that Server A holds the client authentication in Session and if Server B tries to access the file directly, all the client get's is a nice PDF document of the Server A's login screen.

So the solution to the problem is to have the client give permission to Server B to masquerade as the Client and hijack the session.

First we have to understand how Session is maintained. In ASP the server drops a cookie on the client with a special id number that it uses for all future interactions with the server to identify itself.

So we can use javascript to get the Session ID and oddly enough the cookies key. In the form aspsessionidXXXX=XXXXXXXXXXXXX where X's are arbitrary id's that the server sets.

 <script type="text/javascript" language="javascript">
  function GetSessionCookie() {
    var reSessionID = new RegExp('aspsessionid[^=]*=[^;,\b]*','gi')
    var arrCookies = document.cookie.toString().split(';');
    var strWork;

    for(var i=0;i < arrCookies.length;i++)
        if(reSessionID.test(arrCookies[i].toString())) {
            return arrCookies[i].toString();
        }
  }
  </script>

So now we're ready to make the magic happen.

Get the Target URL and Session Key and Session ID that have been passed to Server B:

  string Target = "http://www.ServerA.com/Some/Page.asp";
  string SessionID = string.Empty;
  string SessionKey = string.Empty;
  foreach (string item in Request.QueryString.Keys)
  {
      if (item.Trim().StartsWith("ASPSESSIONID"))
      {
          SessionKey = item.Trim();
          SessionID = Request[item].ToString().Trim();
          break;
      }
  }

  string pageContent = GetWebPage(Target, SessionKey, SessionID);

With GetWebPage written as such:

  private string GetWebPage(string url, string SessionKey, string SessionID)
  {
      try
      {
          HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
          webRequest.Timeout = 6000;
          CookieContainer myContainer = new CookieContainer();
          myContainer.Add(new Cookie(SessionKey, SessionID, "/", GetDomainFromUrl(url)));
          webRequest.CookieContainer = myContainer;
          HttpWebResponse webResponse = (HttpWebResponse)webRequest.GetResponse();
          Stream responseStream = webResponse.GetResponseStream();
          string responseEncoding = webResponse.ContentEncoding.Trim();
          if (responseEncoding.Length == 0)
              responseEncoding="us-ascii";
          StreamReader responseReader = new StreamReader(responseStream, System.Text.Encoding.GetEncoding(responseEncoding));
          return(responseReader.ReadToEnd());
      }
      catch
      {
          return(string.Empty);
      }
  }

While it's not the most elegant solution and I'm sure there are a plethora of flaws security wise. It does get the job done.

HTML to PDF Roundup

The task at hand is to find a way to take an HTML page, containing images and tables, and convert it to PDF for basic reports on the web. The solution must only use memory and no filesystem writes, and cannot reference other executables. (i.e. Acrobat)

First order of business was to find a library that could convert HTML to XHTML. I tried NTidy, but it continually gave me a divide by zero exception. Eventually I settled on SgmlReader.

Next I needed to take the XHTML and convert it to PDF. I found 7 different options, and here are my results.

PDFizer:
Cost: Open Source
Pros: Free, source code available.
Cons: Couldn't get it to work. Also after reading some of the forums, I found that even if it did work it doesn't support tables yet.

Winnovative:
Cost: $350 Single - $750 Redistributable
Pros: Works. Has an accurate representation of the test HTML page. Seems to have a lot of flexibility.
Cons: Costs money. Only supports XHTML as an input.

ExpertPDF:
Cost: $350 Single - $750 Redistributable
Notes: I can't as yet determine a difference between ExpertPDF and Winnovative. They are made by the same company, but marketed differently. The Api's are slightly different, but from what I can tell they are identical in functionality.

PDF Metamorphosis:
Cost: $239 Single - $1140 - Site - $2490 Source Code
Pros: Worked. Source available.
Cons: Did not give an accurate representation of the HMTL. Fonts were too big and formatting was off. Seems to not support CSS.

Subsystems:
Cost: $599+
Pros: None
Cons: Couldn't get this one to work. Threw a file not found error.

Alt-Soft:
Cost: $1499 Single - $4499 Site - $7499 Redistributable
Pros: Acurate, Fastest Render, Supports other formats as inputs including Docx, Good tech support
Cons: Only rendered one page during the test. Tech support responded withing 12 hours of our email and they are currently looking into it.

Homebrew:
Cost: Time, as I wrote it today.
Pros: It only costs the time that it takes to make it. We have the source code.
Cons: Not working at this moment, but it's close. It's using XSL-FO to transform the XHTML to PDF. Probably a day or two away from being completed and tested.

So basically the most attractive choice at this juncture is Winnovative/ExpertPDF. They have the best price to performance measure and they're proven to work. If Alt-soft comes back with a fix to the single page problem, they would move up imensly as they support other formats and seem to be a more professional group.