I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.
What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie from the secure side, but
if the user backs up, I need that non-secure cookie to
still be there. At first I tried saving the Request in
the session object so that later on I could go back and
use that saved request to reference and delete the
cookie. I discovered that the sessionID was changing
when I switched to the Secure connection so this effort
was a dead end.
Also it would be beneficial if I could remove or clear
all items in the session of the non-secure side from the
secure side to do clean up.
From documentation that I have read it seemed that the
session was tied to the instance of the browser, so is it
that when switching to a secure connection a new instance
is created, or is it something else that is going on?
I would like to know what exactly the scope of the
session object is, especially having to do with secure
and non-secure connections, and different domains. I
have not been able to find good indepth documentation on
this subject.
7  3004 
Hello Seth,
Thanks for posting in the group.
Generally speaking, ASP.NET session state does not persist across Web
application boundaries. If a Web application switches to another
application during execution, the session information is not available to
the new application.
When using session state, each active ASP.NET session is identified and
tracked using a 120-bit SessionID string containing only the ASCII
characters that are allowed in URLs. SessionID values are generated using
an algorithm that guarantees uniqueness so that sessions do not collide,
and randomness so that a malicious user cannot use a new SessionID to
calculate the SessionID of an existing session. The SessionID strings are
communicated across client-server requests either by means of an HTTP
cookie or a modified URL with the SessionID string embedded, depending on
how you configure the application settings.
Could you pleaes illustrate more on that non-secure and secure connection?
Do they belong to different web application? If so, the session ID surely
changes since they are different sessions.
In fact, ASP.NET supports various client-side and server-side options for
state management.
Client-side options are:
The ViewState property
Hidden fields
Cookies
Query strings
Server-side options are:
Application state
Session state
Database
Please refer to MSDN link http://msdn.microsoft.com/library/en...ngServerStateO
ption.asp?frame=true for advantages and disadvantages of each method.
Other good references are:
"Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication" http://msdn.microsoft.com/library/en...MSDN.asp?frame
=true
"Nine Options for Managing Persistent User State in Your ASP.NET
Application" http://msdn.microsoft.com/msdnmag/is.../toc.asp?frame
=true
Hope that helps.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
To my understanding I am not switching to a different web
application. What I do is perform a Response.Redirect to
a secure domain, once a user enters the portion of my
shopping cart which requires them to enter data. I do
this by monitoring the current requested page in the
Global.asax.cs Application_BeginRequest function. If the
requested page is within the section that I deem should
be secure I do a Redirect to that page by way of a secure
domain. The only thing that is happening is that I am
switching domains, or the path by which I access the
application files; I am still accessing the exact same
application files, with the same instance of the browser.
Some background on why and what I'm doing. I have
created a shopping cart for an ecommerce site.
Previously the whole shopping cart was running on one
domain, which was all non-secure, everything worked
fine. Once I began Redirecting to the secure domain, I
had to pass the cartID from the non-secure domain to the
secure domain (because to my understanding you cannot
access a cookie that was created on a different domain),
and create another cookie with that cartID in said secure
domain. I don't want to delete the non-secure cookie at
this time because if the user backs out of the cart say
with the browsers back button, I still want their cart to
have Items in it. So I was trying to do is save a
Request from the non-secure domain in the Session object
so that I could use it when the user has completed their
transaction to remove the non-secure cookie. I can not
redirect back to the non-secure domain to do this for
various other reasons. I would also like to remove a few
session variables created in the non-secure domain from
the secure domain after the whole transaction has
occurred. -----Original Message-----
Hello Seth,
Thanks for posting in the group.
Generally speaking, ASP.NET session state does not
persist across Web application boundaries. If a Web application switches to
another application during execution, the session information is
not available to the new application.
When using session state, each active ASP.NET session is
identified and tracked using a 120-bit SessionID string containing only
the ASCII characters that are allowed in URLs. SessionID values
are generated using an algorithm that guarantees uniqueness so that sessions
do not collide, and randomness so that a malicious user cannot use a new
SessionID to calculate the SessionID of an existing session. The
SessionID strings are communicated across client-server requests either by
means of an HTTP cookie or a modified URL with the SessionID string
embedded, depending on how you configure the application settings.
Could you pleaes illustrate more on that non-secure and
secure connection? Do they belong to different web application? If so, the
session ID surely changes since they are different sessions.
In fact, ASP.NET supports various client-side and server-
side options for state management.
Client-side options are:
The ViewState property
Hidden fields
Cookies
Query strings
Server-side options are:
Application state
Session state
Database
Please refer to MSDN link
http://msdn.microsoft.com/library/en-
us/vbcon/html/vbconChoosingServerStateOption.asp?frame=true for advantages and disadvantages
of each method.
Other good references are:
"Building Secure ASP.NET Applications: Authentication,
Authorization, and Secure Communication"
http://msdn.microsoft.com/library/en-
us/dnnetsec/html/secnetlpMSDN.asp?frame=true
"Nine Options for Managing Persistent User State in Your
ASP.NET Application"
http://msdn.microsoft.com/msdnmag/is.../04/ASPNETUser
State/toc.asp?frame=true
Hope that helps.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and
confers no rights.
.
Hello Seth,
After you call Response.Redirect to the new secure page, you noticed the
session ID is changed, right? Could you please check the value of each
variable stored in session to see whether their value is changed or not?
If they are changed, I think they belongs to different web applications. In
one web application, the session ID won't be changed automatically.
I suggest you look into one good sample at http://www.asp.net/Default.aspx?tabindex=9&tabid=47. It has an ecommerce
storefront application complete with shopping cart, product catalog, and a
web service to submit orders. I think it could be helpful to you.
Thanks and please post here if you have any more concerns.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
All variables that I have set in the session object are
null or dont exsist once I have gone to the secure
domain. I am not changing to a different application
because before I began redirecting to the secure domain,
I was just redirecting to a different page on the same
domain, and all session variables, and the id, were
persisting. The only thing that I have changed is the
redirection url, which is to the same page, in fact the
exact same file and location on the server, via a
different domain. I can change the redirection url back
to the non-secure path and it works just fine, but I need
it to be secure. -----Original Message-----
Hello Seth,
After you call Response.Redirect to the new secure page,
you noticed the session ID is changed, right? Could you please check the
value of each variable stored in session to see whether their value is
changed or not? If they are changed, I think they belongs to different
web applications. In one web application, the session ID won't be changed
automatically.
I suggest you look into one good sample at
http://www.asp.net/Default.aspx?tabindex=9&tabid=47. It
has an ecommerce storefront application complete with shopping cart,
product catalog, and a web service to submit orders. I think it could be
helpful to you.
Thanks and please post here if you have any more
concerns.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and
confers no rights.
.
Hello Seth,
******All variables that I have set in the session object are null or dont
exsist once I have gone to the secure domain.
Generally speaking, that means that you are in a different web app.
******I am not changing to a different application because before I began
redirecting to the secure domain, I was just redirecting to a different
page on the same domain, and all session variables, and the id, were
persisting.
What is the meaning of same domain here? Could you please post the URL here?
******The only thing that I have changed is the redirection url, which is
to the same page, in fact the exact same file and location on the server,
via a different domain.
Could you please describe more on different domain here? If it is the same
page, what is the meaning of same page in different domain here? Is the URL
changed? Please also post the URL.
Thanks very much and look forward to your response.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
Ok I think I see my misunderstanding of the situation. I
am accessing the exact same files, dlls and so on, but
they are indeed different apps according to IIS because
they are two different virtual directories. OK, I see
the light; my problem derives from bureaucracies above
me, having to use two separate apps, not the framework
itself.
Thank you for your responses as they lead to me
understanding what was really going on. Hello Seth,
******All variables that I have set in the session
object are null or dont exsist once I have gone to the secure domain.
Generally speaking, that means that you are in a
different web app.
******I am not changing to a different application
because before I began redirecting to the secure domain, I was just redirecting
to a different page on the same domain, and all session variables, and
the id, were persisting.
What is the meaning of same domain here? Could you
please post the URL here?
******The only thing that I have changed is the
redirection url, which is to the same page, in fact the exact same file and
location on the server, via a different domain.
Could you please describe more on different domain here?
If it is the same page, what is the meaning of same page in different
domain here? Is the URL changed? Please also post the URL.
Thanks very much and look forward to your response.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and
confers no rights.
.
Hi Seth,
I am glad that the question is clear now. :) It is my pleature to be of
assistance. If you have any more questions, please feel free to post in the
group.
Thanks very much for participating the community.
Best regards,
Yanhong Huang
Microsoft Community Support
Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: mrbog |
last post by:
Tell me if my assertion is wrong here:
The only way to prevent session hijacking is to NEVER store
authentication information (such as name/password) in the session.
Well, to never authenticate a user from information you got from the
session. Each secure app on a site must challenge the user for name
and password, each and every time the...
|
by: Dave Wurtz |
last post by:
All,
I'm new to ASP development and I have a basic design question:
Is it ok to store business objects to session variables or is there a better
way to keep object information?
For example, if a user logs onto the website, a user object is created that
stores their full name, email address, street address, phone, etc. This
object also...
|
by: masoud bayan |
last post by:
Hi,
We have 3 different web applications on three different websites (and
domains). Now we want to make it possible for users to login in each of
these applications and can navigate to other applications without
authenticating. So generally we need to have a shared session across
applications (a single sign-on).
|
by: Robert Burdick [eMVP] |
last post by:
Hello All:
I am writing an ASP.NET application that will take the user to PayPal to
make some payments. Before going to PayPal, I collect relevant user
information and store it in a session state slot. I'm using InProc session
state. After the user goes through the paypal site, the session information
I collected / saved is gone.
Is...
|
by: Doug |
last post by:
An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on
"search.mydomain.com"; hence, a new session and cookie are being created on
every sub-domain.
This is occuring because ASP.NET always sets the Session cookie domain to
the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g.
"mydomain.com")
The...
| | |
by: Vishal |
last post by:
Hello,
I have one application and two domains are pointed to it
www.myapplication.com and
secure.myapplication.com
In some of the pages where i need to take Credit card numbers i want to use
SSL security.
|
by: Bocah Sableng |
last post by:
Hi, I'm new member of this group.
I had added new virtual host at my intranet server. The new virtual
host configuration on httpd.conf is similar with the old one.
At the new virtual host, the session id seems changed every
interaction to server (new page or reload).
The old one is fine, the session id keeps at the same string.
Both are at...
|
by: Samir Chouaieb |
last post by:
Hello,
I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.
I have one main domain with the user data and several other domains that
need a login to show data.
I want the user to login only once when he visits any of my domains.
|
by: Josh |
last post by:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it. ...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| | |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
| | |
