I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
5  3960 
Session variables will not persist between http and https. If you need them
to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL
pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and non-SSL
whereas the site that I am having trouble with is using a different URL for
SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now I
realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does perserve
all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you need
them to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
If by "different URL" you mean a path to a different virtual directory or
using a different domain then session variables cannot be passed because the
session cookie can only go to one application. ie: http://www.mysite.com/app can never share session variables with https://www.securesite.com/app because the browser will not send the session
cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https when
the paths matched otherwise ( ie: http://www.mysite.com/app and https://www.mysite.com/app) but this might be considered a security bug that
could be "fixed" in a future browser or IIS version (haven't tried it since
IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL
pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different URL
for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now I
realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does perserve
all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you need
them to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
You hit the problem, Mark. The HTTPS site is "safe.xxxxx" and our non-HTTPS
site is www.xxxxx . We had hoped that we would get around the problem
because both "safe" and "www" point to the same URL. But, IIS doesn't look
at IP addresses, I guess.
Could yoiu expand on your statement about the security problem with using
the same URL for both the https and the http. Or, point me to a source of
this info. I have Googled using various keywords but can't find any info on
this.
Thanks.
Larry Woods
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:ef*************@tk2msftngp13.phx.gbl... If by "different URL" you mean a path to a different virtual directory or
using a different domain then session variables cannot be passed because
the session cookie can only go to one application. ie:
http://www.mysite.com/app can never share session variables with
https://www.securesite.com/app because the browser will not send the
session cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https when
the paths matched otherwise ( ie: http://www.mysite.com/app and
https://www.mysite.com/app) but this might be considered a security bug
that could be "fixed" in a future browser or IIS version (haven't tried it
since IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and
non-SSL pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different URL
for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now
I realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does
perserve all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you
need them to, you'll have to create your own "session variable" management
system, such as database stored values. Either that, or put your visitors
into https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
>I am losing Session variables, but only those that are set in the
page > previous to a redirect to a secure page.
>
> Anyone seen ANY situation where Session variables just "disappear?"
>
> Note that OTHER session variables are still intact !?!
>
> TIA,
>
> Larry Woods
>
>
I don't know that there is a "security problem" with having sessions shared
between HTTP and HTTPS for the same application path. The point I was making
is that browser designers could very well consider it a problem and not send
cookies set by one to the other.
You could check on the rules for sending cookies to see if this is likely. I
don't know the RFC but it should be on the www.w3c.org site somewhere.
Most responses to this issue recommend the use of a back-end database to tie
the http and https sessions together.
--
Mark Schupp
Head of Development
Integrity eLearning www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:eq**************@TK2MSFTNGP11.phx.gbl... You hit the problem, Mark. The HTTPS site is "safe.xxxxx" and our
non-HTTPS site is www.xxxxx . We had hoped that we would get around the problem
because both "safe" and "www" point to the same URL. But, IIS doesn't
look at IP addresses, I guess.
Could yoiu expand on your statement about the security problem with using
the same URL for both the https and the http. Or, point me to a source of
this info. I have Googled using various keywords but can't find any info
on this.
Thanks.
Larry Woods
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:ef*************@tk2msftngp13.phx.gbl... If by "different URL" you mean a path to a different virtual directory
or using a different domain then session variables cannot be passed because the session cookie can only go to one application. ie:
http://www.mysite.com/app can never share session variables with
https://www.securesite.com/app because the browser will not send the
session cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https
when the paths matched otherwise ( ie: http://www.mysite.com/app and
https://www.mysite.com/app) but this might be considered a security bug
that could be "fixed" in a future browser or IIS version (haven't tried it
since IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL pages all the time! The only difference that I can see between the
two sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different
URL for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact.
Now I realize that the ones that were "preserved" were created (recreated!)
in SessionStart in my global.asa. In any case, the other site does
perserve all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl...
> Session variables will not persist between http and https. If you need them
> to, you'll have to create your own "session variable" management system, > such as database stored values. Either that, or put your visitors into > https earlier, if that's an option.
>
> See here: http://www.aspfaq.com/show.asp?id=2157
>
> Ray at work
>
> "Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
> news:%2****************@TK2MSFTNGP12.phx.gbl...
> >I am losing Session variables, but only those that are set in the page > > previous to a redirect to a secure page.
> >
> > Anyone seen ANY situation where Session variables just "disappear?
" > >
> > Note that OTHER session variables are still intact !?!
> >
> > TIA,
> >
> > Larry Woods
> >
> >
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: ndsoumah |
last post by:
hello guys
I'm trying to get access to variables I put in a session variable from
another page and it fails...
here's the exact situation
main file
page1.php
|
by: Dabbler |
last post by:
I set some strings and integers in Session but when I get to my redirected
page the values are null.
I'm running on localhost Windows XP Pro but using remote SQL 2005 database.
Not doing...
|
by: TCook |
last post by:
I am losing my session variables after a Response.Redirect.
My web.config file contains the following:
<sessionState mode="InProc"
stateConnectionString="tcipip=127.0.0.1:42424"...
|
by: K. A. |
last post by:
I have two servers at work, 'A' for testing and development, and
server 'B' for production.
On server A, I wrote a PHP test code to login users then direct them
to a personalized page. This is...
|
by: manny6677 |
last post by:
Trying a simple test of passing $_SESSION variables between two php pages. I don't see any data on the second page and the session id that is printed out is not the same as the first page session id...
|
by: KidQuin |
last post by:
I am having problems with session value between pages. Happening in both firefox and IE7. I go between page by links so I know it's not header changes.
I use session_start as the first line on the...
|
by: lllomh |
last post by:
Define the method first
this.state = {
buttonBackgroundColor: 'green',
isBlinking: false, // A new status is added to identify whether the button is blinking or not
}
autoStart=()=>{
|
by: DJRhino |
last post by:
Was curious if anyone else was having this same issue or not....
I was just Up/Down graded to windows 11 and now my access combo boxes are not acting right. With win 10 I could start typing...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM)
The start time is equivalent to 19:00 (7PM) in Central...
|
by: giovanniandrean |
last post by:
The energy model is structured as follows and uses excel sheets to give input data:
1-Utility.py contains all the functions needed to calculate the variables and other minor things (mentions...
|
by: NeoPa |
last post by:
Hello everyone.
I find myself stuck trying to find the VBA way to get Access to create a PDF of the currently-selected (and open) object (Form or Report).
I know it can be done by selecting :...
|
by: Teri B |
last post by:
Hi, I have created a sub-form Roles. In my course form the user selects the roles assigned to the course.
0ne-to-many. One course many roles.
Then I created a report based on the Course form and...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM)
Please note that the UK and Europe revert to winter time on...
|
by: isladogs |
last post by:
The next online meeting of the Access Europe User Group will be on Wednesday 6 Dec 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM).
In this month's session, Mike...
|
by: GKJR |
last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...
| |
