By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
431,795 Members | 1,250 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 431,795 IT Pros & Developers. It's quick & easy.

Sharing Session state over secure / non-secure requests

P: n/a
Hi

I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.

We have SSL set up on the site so that it can be accessed via the same
domain:

http://www.mydomain.com/login.aspx
https://www.mydomain.com/login.aspx

I understand that the change in protocol might cause the session cookie
created when the site is accessed via http to be hidden when the same site
is accessed via https.

I've also tried running cookieless sessions so that the Session identifier
is stored in the URL. However Session state does not appear to be shared
across the different protocols. It looks like a new Session is started when
the site is accessed via https, as any persisted data cannot be retrieved.

Is a site running under SSL treated as a separate Application by ASP.net
with its own Session scope? If so, is there anything that can be done to
resolve this?

The alternative seems to be to craete a transfer page where data that needs
to be passed between 2 sessions is stored in a database and identified via a
guid. The new Session can then be initialised (and the stored data reset to
prevent further requests hijacking another person's Session).

Thanks in advance for any suggestions

Daniel
Nov 19 '05 #1
Share this question for a faster answer!
Share on Google+

This discussion thread is closed

Replies have been disabled for this discussion.