ASP Session

A

Adil Akram

I've developed a shopping cart app in ASP, to secure transaction by SSL, it
've put only the checkout page in SSL but all other pages i.e. product, cart
etc remains on non SSL connection. How can I track user session from non SSL
to SSL checkout page as the SessionID changes when shifting to SSL (to
prevent session stealing/ hijacking). I'm tracking user session by putting
SessionID in cart DB with products. Given below the preview of cart table

Cart table

ID SessionID Product Quantity
==================================
1 1234564 product1 5
2 1234564 item2 3
3 1234564 product3 1
4 4234564 product1 1


If I use any custom cookies, hidden form value (whether plain or encrypted),
it can be hacked by sniffing and changing cookie or hidden value and mapping
it to any other ordering session etc.

Please explain in detail with example, what's the best way to implement SSL
in shopping cart application.

regards,
Adil
 
R

Ray Costanzo [MVP]

Well, the only way would be to use a cookie, but you've already ruled out
that. So, the way I see it is that you'll have to do everything in SSL,
from shopping to checkout. Is there any particular reason that you're not
already doing that?

Ray at home
 
A

Adil Akram

Hello Ray,

I don't want to put everything in SSL as the most of the big vndors online
put only checkout page in SSL for example I checked the shopping cart of
Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
safe or not.
Please suggest me whatever the best method you know to do this.
Please explain the procedure in detail. I don't need the technical
implementation detail but flow and session tracking details

regards,
Adil
 
P

Patrice

My first thought would be to pass a random generated value on the
querystring that allows to the non SSL session to retrieve values for the
SSL session...

You'll have basically a scheme such as :
- create a random key
- save the state
- pass the key to the other session
- the other session can then restore the state

Patrice
 
R

Ray Costanzo [MVP]

What Patrice said makes sense to me!

Ray at work
Adil Akram said:
Hello Ray,

I don't want to put everything in SSL as the most of the big vndors online
put only checkout page in SSL for example I checked the shopping cart of
Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
safe or not.
Please suggest me whatever the best method you know to do this.
Please explain the procedure in detail. I don't need the technical
implementation detail but flow and session tracking details

regards,
Adil
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads


Members online

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,904
Latest member
HealthyVisionsCBDPrice

Latest Threads

Top