I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
5  3990 
Session variables will not persist between http and https. If you need them
to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL
pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and non-SSL
whereas the site that I am having trouble with is using a different URL for
SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now I
realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does perserve
all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you need
them to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
If by "different URL" you mean a path to a different virtual directory or
using a different domain then session variables cannot be passed because the
session cookie can only go to one application. ie: http://www.mysite.com/app can never share session variables with https://www.securesite.com/app because the browser will not send the session
cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https when
the paths matched otherwise ( ie: http://www.mysite.com/app and https://www.mysite.com/app) but this might be considered a security bug that
could be "fixed" in a future browser or IIS version (haven't tried it since
IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL
pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different URL
for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now I
realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does perserve
all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you need
them to, you'll have to create your own "session variable" management system,
such as database stored values. Either that, or put your visitors into
https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...I am losing Session variables, but only those that are set in the page
previous to a redirect to a secure page.
Anyone seen ANY situation where Session variables just "disappear?"
Note that OTHER session variables are still intact !?!
TIA,
Larry Woods
You hit the problem, Mark. The HTTPS site is "safe.xxxxx" and our non-HTTPS
site is www.xxxxx . We had hoped that we would get around the problem
because both "safe" and "www" point to the same URL. But, IIS doesn't look
at IP addresses, I guess.
Could yoiu expand on your statement about the security problem with using
the same URL for both the https and the http. Or, point me to a source of
this info. I have Googled using various keywords but can't find any info on
this.
Thanks.
Larry Woods
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:ef*************@tk2msftngp13.phx.gbl... If by "different URL" you mean a path to a different virtual directory or
using a different domain then session variables cannot be passed because
the session cookie can only go to one application. ie:
http://www.mysite.com/app can never share session variables with
https://www.securesite.com/app because the browser will not send the
session cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https when
the paths matched otherwise ( ie: http://www.mysite.com/app and
https://www.mysite.com/app) but this might be considered a security bug
that could be "fixed" in a future browser or IIS version (haven't tried it
since IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and
non-SSL pages all the time! The only difference that I can see between the two
sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different URL
for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact. Now
I realize that the ones that were "preserved" were created (recreated!) in
SessionStart in my global.asa. In any case, the other site does
perserve all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl... Session variables will not persist between http and https. If you
need them to, you'll have to create your own "session variable" management
system, such as database stored values. Either that, or put your visitors
into https earlier, if that's an option.
See here: http://www.aspfaq.com/show.asp?id=2157
Ray at work
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
>I am losing Session variables, but only those that are set in the
page > previous to a redirect to a secure page.
>
> Anyone seen ANY situation where Session variables just "disappear?"
>
> Note that OTHER session variables are still intact !?!
>
> TIA,
>
> Larry Woods
>
>
I don't know that there is a "security problem" with having sessions shared
between HTTP and HTTPS for the same application path. The point I was making
is that browser designers could very well consider it a problem and not send
cookies set by one to the other.
You could check on the rules for sending cookies to see if this is likely. I
don't know the RFC but it should be on the www.w3c.org site somewhere.
Most responses to this issue recommend the use of a back-end database to tie
the http and https sessions together.
--
Mark Schupp
Head of Development
Integrity eLearning www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:eq**************@TK2MSFTNGP11.phx.gbl... You hit the problem, Mark. The HTTPS site is "safe.xxxxx" and our
non-HTTPS site is www.xxxxx . We had hoped that we would get around the problem
because both "safe" and "www" point to the same URL. But, IIS doesn't
look at IP addresses, I guess.
Could yoiu expand on your statement about the security problem with using
the same URL for both the https and the http. Or, point me to a source of
this info. I have Googled using various keywords but can't find any info
on this.
Thanks.
Larry Woods
"Mark Schupp" <ms*****@ielearning.com> wrote in message
news:ef*************@tk2msftngp13.phx.gbl... If by "different URL" you mean a path to a different virtual directory
or using a different domain then session variables cannot be passed because the session cookie can only go to one application. ie:
http://www.mysite.com/app can never share session variables with
https://www.securesite.com/app because the browser will not send the
session cookie to both paths, even it they actually point to the same site.
In the past I have been able to share sessions between http and https
when the paths matched otherwise ( ie: http://www.mysite.com/app and
https://www.mysite.com/app) but this might be considered a security bug
that could be "fixed" in a future browser or IIS version (haven't tried it
since IIS4/IE4).
--
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
news:uo**************@TK2MSFTNGP11.phx.gbl... Ray,
I need further clarification. I have another site where I pass around
various session variable value, like UserID, etc. between SSL and non-SSL pages all the time! The only difference that I can see between the
two sites is the site that works is using the same URL for both SSL and
non-SSL whereas the site that I am having trouble with is using a different
URL for SSL as for the non-SLL pages.
I also commented that some of the Session variables stayed intact.
Now I realize that the ones that were "preserved" were created (recreated!)
in SessionStart in my global.asa. In any case, the other site does
perserve all of my session variables.
Larry Woods
"Ray at <%=sLocation%> [MVP]" <myfirstname at lane34 dot com> wrote in
message news:OT****************@TK2MSFTNGP10.phx.gbl...
> Session variables will not persist between http and https. If you need them
> to, you'll have to create your own "session variable" management system, > such as database stored values. Either that, or put your visitors into > https earlier, if that's an option.
>
> See here: http://www.aspfaq.com/show.asp?id=2157
>
> Ray at work
>
> "Larry Woods" <la***@NOSPAMlwoods.com> wrote in message
> news:%2****************@TK2MSFTNGP12.phx.gbl...
> >I am losing Session variables, but only those that are set in the page > > previous to a redirect to a secure page.
> >
> > Anyone seen ANY situation where Session variables just "disappear?
" > >
> > Note that OTHER session variables are still intact !?!
> >
> > TIA,
> >
> > Larry Woods
> >
> >
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: ndsoumah |
last post by:
hello guys
I'm trying to get access to variables I put in a session variable from
another page and it fails...
here's the exact situation
main file
page1.php
|
by: Dabbler |
last post by:
I set some strings and integers in Session but when I get to my redirected
page the values are null.
I'm running on localhost Windows XP Pro but using remote SQL 2005 database.
Not doing...
|
by: TCook |
last post by:
I am losing my session variables after a Response.Redirect.
My web.config file contains the following:
<sessionState mode="InProc"
stateConnectionString="tcipip=127.0.0.1:42424"...
|
by: K. A. |
last post by:
I have two servers at work, 'A' for testing and development, and
server 'B' for production.
On server A, I wrote a PHP test code to login users then direct them
to a personalized page. This is...
|
by: manny6677 |
last post by:
Trying a simple test of passing $_SESSION variables between two php pages. I don't see any data on the second page and the session id that is printed out is not the same as the first page session id...
|
by: KidQuin |
last post by:
I am having problems with session value between pages. Happening in both firefox and IE7. I go between page by links so I know it's not header changes.
I use session_start as the first line on the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
