ASP session SSL

A

Adil Akram

I have created a site shopping cart in ASP.net.

I am using ASP session object's SessionID on non SSL connection to track
session.
While adding products to cart DB I insert product and SessionID in table.
All products and cart status pages are on non SSL connection.

On checkout to get secure user information I shifted connection to SSL but
when shifting to SSL, the SessionID changed (As is this is default behavior
of IIS to prevent stealing SSL session).

To get rid of this problem I shifted my all products and cart pages to SSL,
now its working fine but I am not satisfied with this solution because it is
not feasible to put all product pages (about 500 pages) to SSL. As I see
while shopping with big companies sites i.e. Microsoft, Amazon etc. they
change to SSL only in checkout page.

How can I build it like that all pages remains in non SSL and only checkout
pages should be on SSL. One solution may be to use custom cookies to track
session but it may have the same problem of session hijacking/ session
stealing.

Any one please explain me what is the best way to create shopping cart with
SSL, the ASP/ASP.net session or setting own cookies.

Please explain in detail or refer some useful links.

regards,
Adil
 
J

Joerg Jooss

Adil said:
I have created a site shopping cart in ASP.net.

I am using ASP session object's SessionID on non SSL connection to
track session.
While adding products to cart DB I insert product and SessionID in
table. All products and cart status pages are on non SSL connection.

On checkout to get secure user information I shifted connection to
SSL but when shifting to SSL, the SessionID changed (As is this is
default behavior of IIS to prevent stealing SSL session).

To get rid of this problem I shifted my all products and cart pages
to SSL, now its working fine but I am not satisfied with this
solution because it is not feasible to put all product pages (about
500 pages) to SSL. As I see while shopping with big companies sites
i.e. Microsoft, Amazon etc. they change to SSL only in checkout page.

How can I build it like that all pages remains in non SSL and only
checkout pages should be on SSL. One solution may be to use custom
cookies to track session but it may have the same problem of session
hijacking/ session stealing.

Any one please explain me what is the best way to create shopping
cart with SSL, the ASP/ASP.net session or setting own cookies.
Click to expand...

In order to avoid awkward session mapping, you'll need to move the shopping
cart contents out of your HttpSessionState. You can store the shopping cart
contents either in a persistent cookie or in a database. Both approaches
allow your users to keep their shopping cart contents across sessions
similar to Amazon.

Cheers,
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

ASP Session, Cookies and SSL 1
Shopping cart, session on SSL 1
ASP Session 4
ASP Session in SSL 0
Session in SSL 1
ssl secret key available to asp.net page? 0
Mixing HTTP and HTTPS? 0
SSL Termination and ASP.NET 2.0 0

Members online

No members online now.
Total: 32 (members: 0, guests: 32)
Robots: 446

Forum statistics

Threads
473,770
Messages
2,569,583
Members
45,073
Latest member
DarinCeden

Latest Threads

Top