ASP Session

Discussion in 'ASP General' started by Adil Akram, Sep 28, 2004.

  1. Adil Akram

    Adil Akram Guest

    I've developed a shopping cart app in ASP, to secure transaction by SSL, it
    've put only the checkout page in SSL but all other pages i.e. product, cart
    etc remains on non SSL connection. How can I track user session from non SSL
    to SSL checkout page as the SessionID changes when shifting to SSL (to
    prevent session stealing/ hijacking). I'm tracking user session by putting
    SessionID in cart DB with products. Given below the preview of cart table

    Cart table

    ID SessionID Product Quantity
    ==================================
    1 1234564 product1 5
    2 1234564 item2 3
    3 1234564 product3 1
    4 4234564 product1 1


    If I use any custom cookies, hidden form value (whether plain or encrypted),
    it can be hacked by sniffing and changing cookie or hidden value and mapping
    it to any other ordering session etc.

    Please explain in detail with example, what's the best way to implement SSL
    in shopping cart application.

    regards,
    Adil
     
    Adil Akram, Sep 28, 2004
    #1
    1. Advertising

  2. Well, the only way would be to use a cookie, but you've already ruled out
    that. So, the way I see it is that you'll have to do everything in SSL,
    from shopping to checkout. Is there any particular reason that you're not
    already doing that?

    Ray at home

    "Adil Akram" <> wrote in message
    news:%...
    > I've developed a shopping cart app in ASP, to secure transaction by SSL,
    > it
    > 've put only the checkout page in SSL but all other pages i.e. product,
    > cart
    > etc remains on non SSL connection. How can I track user session from non
    > SSL
    > to SSL checkout page as the SessionID changes when shifting to SSL (to
    > prevent session stealing/ hijacking). I'm tracking user session by putting
    > SessionID in cart DB with products. Given below the preview of cart table
    >
    > Cart table
    >
    > ID SessionID Product Quantity
    > ==================================
    > 1 1234564 product1 5
    > 2 1234564 item2 3
    > 3 1234564 product3 1
    > 4 4234564 product1 1
    >
    >
    > If I use any custom cookies, hidden form value (whether plain or
    > encrypted),
    > it can be hacked by sniffing and changing cookie or hidden value and
    > mapping
    > it to any other ordering session etc.
    >
    > Please explain in detail with example, what's the best way to implement
    > SSL
    > in shopping cart application.
    >
    > regards,
    > Adil
    >
    >
     
    Ray Costanzo [MVP], Sep 28, 2004
    #2
    1. Advertising

  3. Adil Akram

    Adil Akram Guest

    Hello Ray,

    I don't want to put everything in SSL as the most of the big vndors online
    put only checkout page in SSL for example I checked the shopping cart of
    Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
    safe or not.
    Please suggest me whatever the best method you know to do this.
    Please explain the procedure in detail. I don't need the technical
    implementation detail but flow and session tracking details

    regards,
    Adil



    "Ray Costanzo [MVP]" wrote:

    > Well, the only way would be to use a cookie, but you've already ruled out
    > that. So, the way I see it is that you'll have to do everything in SSL,
    > from shopping to checkout. Is there any particular reason that you're not
    > already doing that?
    >
    > Ray at home
    >
    > "Adil Akram" <> wrote in message
    > news:%...
    > > I've developed a shopping cart app in ASP, to secure transaction by SSL,
    > > it
    > > 've put only the checkout page in SSL but all other pages i.e. product,
    > > cart
    > > etc remains on non SSL connection. How can I track user session from non
    > > SSL
    > > to SSL checkout page as the SessionID changes when shifting to SSL (to
    > > prevent session stealing/ hijacking). I'm tracking user session by putting
    > > SessionID in cart DB with products. Given below the preview of cart table
    > >
    > > Cart table
    > >
    > > ID SessionID Product Quantity
    > > ==================================
    > > 1 1234564 product1 5
    > > 2 1234564 item2 3
    > > 3 1234564 product3 1
    > > 4 4234564 product1 1
    > >
    > >
    > > If I use any custom cookies, hidden form value (whether plain or
    > > encrypted),
    > > it can be hacked by sniffing and changing cookie or hidden value and
    > > mapping
    > > it to any other ordering session etc.
    > >
    > > Please explain in detail with example, what's the best way to implement
    > > SSL
    > > in shopping cart application.
    > >
    > > regards,
    > > Adil
    > >
    > >

    >
    >
    >
     
    Adil Akram, Sep 28, 2004
    #3
  4. Adil Akram

    Patrice Guest

    My first thought would be to pass a random generated value on the
    querystring that allows to the non SSL session to retrieve values for the
    SSL session...

    You'll have basically a scheme such as :
    - create a random key
    - save the state
    - pass the key to the other session
    - the other session can then restore the state

    Patrice

    --

    "Adil Akram" <> a écrit dans le message de
    news:%...
    > I've developed a shopping cart app in ASP, to secure transaction by SSL,

    it
    > 've put only the checkout page in SSL but all other pages i.e. product,

    cart
    > etc remains on non SSL connection. How can I track user session from non

    SSL
    > to SSL checkout page as the SessionID changes when shifting to SSL (to
    > prevent session stealing/ hijacking). I'm tracking user session by putting
    > SessionID in cart DB with products. Given below the preview of cart table
    >
    > Cart table
    >
    > ID SessionID Product Quantity
    > ==================================
    > 1 1234564 product1 5
    > 2 1234564 item2 3
    > 3 1234564 product3 1
    > 4 4234564 product1 1
    >
    >
    > If I use any custom cookies, hidden form value (whether plain or

    encrypted),
    > it can be hacked by sniffing and changing cookie or hidden value and

    mapping
    > it to any other ordering session etc.
    >
    > Please explain in detail with example, what's the best way to implement

    SSL
    > in shopping cart application.
    >
    > regards,
    > Adil
    >
    >
     
    Patrice, Sep 28, 2004
    #4
  5. What Patrice said makes sense to me!

    Ray at work
    "Adil Akram" <> wrote in message
    news:...
    > Hello Ray,
    >
    > I don't want to put everything in SSL as the most of the big vndors online
    > put only checkout page in SSL for example I checked the shopping cart of
    > Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
    > safe or not.
    > Please suggest me whatever the best method you know to do this.
    > Please explain the procedure in detail. I don't need the technical
    > implementation detail but flow and session tracking details
    >
    > regards,
    > Adil
    >
    >
    >
    > "Ray Costanzo [MVP]" wrote:
    >
    >> Well, the only way would be to use a cookie, but you've already ruled out
    >> that. So, the way I see it is that you'll have to do everything in SSL,
    >> from shopping to checkout. Is there any particular reason that you're
    >> not
    >> already doing that?
    >>
    >> Ray at home
    >>
    >> "Adil Akram" <> wrote in message
    >> news:%...
    >> > I've developed a shopping cart app in ASP, to secure transaction by
    >> > SSL,
    >> > it
    >> > 've put only the checkout page in SSL but all other pages i.e. product,
    >> > cart
    >> > etc remains on non SSL connection. How can I track user session from
    >> > non
    >> > SSL
    >> > to SSL checkout page as the SessionID changes when shifting to SSL (to
    >> > prevent session stealing/ hijacking). I'm tracking user session by
    >> > putting
    >> > SessionID in cart DB with products. Given below the preview of cart
    >> > table
    >> >
    >> > Cart table
    >> >
    >> > ID SessionID Product Quantity
    >> > ==================================
    >> > 1 1234564 product1 5
    >> > 2 1234564 item2 3
    >> > 3 1234564 product3 1
    >> > 4 4234564 product1 1
    >> >
    >> >
    >> > If I use any custom cookies, hidden form value (whether plain or
    >> > encrypted),
    >> > it can be hacked by sniffing and changing cookie or hidden value and
    >> > mapping
    >> > it to any other ordering session etc.
    >> >
    >> > Please explain in detail with example, what's the best way to implement
    >> > SSL
    >> > in shopping cart application.
    >> >
    >> > regards,
    >> > Adil
    >> >
    >> >

    >>
    >>
    >>
     
    Ray Costanzo [MVP], Sep 28, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jeff Smythe
    Replies:
    3
    Views:
    1,258
    Jeff Smythe
    Jan 2, 2004
  2. Ed
    Replies:
    7
    Views:
    2,752
    Saravana [MVP]
    Feb 2, 2004
  3. far asl via DotNetMonster.com

    How can i share asp session data with asp.net session data

    far asl via DotNetMonster.com, Mar 22, 2005, in forum: ASP .Net
    Replies:
    3
    Views:
    553
    =?Utf-8?B?VmliaHUgQmFuc2Fs?=
    Mar 23, 2005
  4. =?Utf-8?B?Um9iSEs=?=
    Replies:
    4
    Views:
    5,294
    =?Utf-8?B?Um9iSEs=?=
    Apr 11, 2007
  5. Jazzis
    Replies:
    2
    Views:
    253
    Jazzis
    Sep 23, 2003
Loading...

Share This Page