I don't know that there is a "security problem" with having sessions shared
between HTTP and HTTPS for the same application path. The point I was making
is that browser designers could very well consider it a problem and not send
cookies set by one to the other.
You could check on the rules for sending cookies to see if this is likely. I
don't know the RFC but it should be on the
www.w3c.org site somewhere.
Most responses to this issue recommend the use of a back-end database to tie
the http and https sessions together.
--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Larry Woods" <larry@NOSPAMlwoods.com> wrote in message
news:eqL22gGaEHA.4032@TK2MSFTNGP11.phx.gbl...[color=blue]
> You hit the problem, Mark. The HTTPS site is "safe.xxxxx" and our[/color]
non-HTTPS[color=blue]
> site is
www.xxxxx . We had hoped that we would get around the problem
> because both "safe" and "www" point to the same URL. But, IIS doesn't[/color]
look[color=blue]
> at IP addresses, I guess.
>
> Could yoiu expand on your statement about the security problem with using
> the same URL for both the https and the http. Or, point me to a source of
> this info. I have Googled using various keywords but can't find any info[/color]
on[color=blue]
> this.
>
> Thanks.
>
> Larry Woods
>
> "Mark Schupp" <mschupp@ielearning.com> wrote in message
> news:eftudPGaEHA.808@tk2msftngp13.phx.gbl...[color=green]
> > If by "different URL" you mean a path to a different virtual directory[/color][/color]
or[color=blue][color=green]
> > using a different domain then session variables cannot be passed because[/color]
> the[color=green]
> > session cookie can only go to one application. ie:
> >
> >
http://www.mysite.com/app can never share session variables with
> >
https://www.securesite.com/app because the browser will not send the[/color]
> session[color=green]
> > cookie to both paths, even it they actually point to the same site.
> >
> > In the past I have been able to share sessions between http and https[/color][/color]
when[color=blue][color=green]
> > the paths matched otherwise ( ie:
http://www.mysite.com/app and
> >
https://www.mysite.com/app) but this might be considered a security bug[/color]
> that[color=green]
> > could be "fixed" in a future browser or IIS version (haven't tried it[/color]
> since[color=green]
> > IIS4/IE4).
> >
> > --
> > Mark Schupp
> > Head of Development
> > Integrity eLearning
> >
www.ielearning.com
> >
> >
> > "Larry Woods" <larry@NOSPAMlwoods.com> wrote in message
> > news:uoXENFFaEHA.4092@TK2MSFTNGP11.phx.gbl...[color=darkred]
> > > Ray,
> > >
> > > I need further clarification. I have another site where I pass around
> > > various session variable value, like UserID, etc. between SSL and[/color][/color]
> non-SSL[color=green][color=darkred]
> > > pages all the time! The only difference that I can see between the[/color][/color][/color]
two[color=blue][color=green][color=darkred]
> > > sites is the site that works is using the same URL for both SSL and[/color]
> > non-SSL[color=darkred]
> > > whereas the site that I am having trouble with is using a different[/color][/color][/color]
URL[color=blue][color=green]
> > for[color=darkred]
> > > SSL as for the non-SLL pages.
> > >
> > > I also commented that some of the Session variables stayed intact.[/color][/color][/color]
Now[color=blue]
> I[color=green][color=darkred]
> > > realize that the ones that were "preserved" were created (recreated!)[/color][/color][/color]
in[color=blue][color=green][color=darkred]
> > > SessionStart in my global.asa. In any case, the other site does[/color][/color]
> perserve[color=green][color=darkred]
> > > all of my session variables.
> > >
> > > Larry Woods
> > >
> > > "Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
> > > message news:OT%23no7EaEHA.1768@TK2MSFTNGP10.phx.gbl...
> > > > Session variables will not persist between http and https. If you[/color][/color]
> need[color=green][color=darkred]
> > > them
> > > > to, you'll have to create your own "session variable" management[/color][/color]
> system,[color=green][color=darkred]
> > > > such as database stored values. Either that, or put your visitors[/color][/color]
> into[color=green][color=darkred]
> > > > https earlier, if that's an option.
> > > >
> > > > See here:
http://www.aspfaq.com/show.asp?id=2157
> > > >
> > > > Ray at work
> > > >
> > > > "Larry Woods" <larry@NOSPAMlwoods.com> wrote in message
> > > > news:%23kVIO2EaEHA.3524@TK2MSFTNGP12.phx.gbl...
> > > > >I am losing Session variables, but only those that are set in the[/color][/color]
> page[color=green][color=darkred]
> > > > > previous to a redirect to a secure page.
> > > > >
> > > > > Anyone seen ANY situation where Session variables just "disappear?[/color][/color][/color]
"[color=blue][color=green][color=darkred]
> > > > >
> > > > > Note that OTHER session variables are still intact !?!
> > > > >
> > > > > TIA,
> > > > >
> > > > > Larry Woods
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >[/color]
> >
> >[/color]
>
>[/color]
