Session Scope, over domains and secure connections

[Seth]

I have noticed that the id of my session object changes
when I switch from a non-secure to a secure connection.

What I'm trying to do:
I have a cookie that is built on the non-secure side of
things. What I need to do is to switch to a secure
connection and then later on while still in that secure
connection delete the cookie that was created on the non-
secure side. I need to do this because I can not
reference the non-secure cookie from the secure side, but
if the user backs up, I need that non-secure cookie to
still be there. At first I tried saving the Request in
the session object so that later on I could go back and
use that saved request to reference and delete the
cookie. I discovered that the sessionID was changing
when I switched to the Secure connection so this effort
was a dead end.

Also it would be beneficial if I could remove or clear
all items in the session of the non-secure side from the
secure side to do clean up.

From documentation that I have read it seemed that the
session was tied to the instance of the browser, so is it
that when switching to a secure connection a new instance
is created, or is it something else that is going on?
I would like to know what exactly the scope of the
session object is, especially having to do with secure
and non-secure connections, and different domains. I
have not been able to find good indepth documentation on
this subject.

 

[Yan-Hong Huang[MSFT]]

Hello Seth,

Thanks for posting in the group.

Generally speaking, ASP.NET session state does not persist across Web
application boundaries. If a Web application switches to another
application during execution, the session information is not available to
the new application.

When using session state, each active ASP.NET session is identified and
tracked using a 120-bit SessionID string containing only the ASCII
characters that are allowed in URLs. SessionID values are generated using
an algorithm that guarantees uniqueness so that sessions do not collide,
and randomness so that a malicious user cannot use a new SessionID to
calculate the SessionID of an existing session. The SessionID strings are
communicated across client-server requests either by means of an HTTP
cookie or a modified URL with the SessionID string embedded, depending on
how you configure the application settings.

Could you pleaes illustrate more on that non-secure and secure connection?
Do they belong to different web application? If so, the session ID surely
changes since they are different sessions.

In fact, ASP.NET supports various client-side and server-side options for
state management.

Client-side options are:

The ViewState property
Hidden fields
Cookies
Query strings

Server-side options are:

Application state
Session state
Database

Please refer to MSDN link
http://msdn.microsoft.com/library/en-us/vbcon/html/vbconChoosingServerStateO
ption.asp?frame=true for advantages and disadvantages of each method.

Other good references are:

"Building Secure ASP.NET Applications: Authentication, Authorization, and
Secure Communication"
http://msdn.microsoft.com/library/en-us/dnnetsec/html/secnetlpMSDN.asp?frame
=true

"Nine Options for Managing Persistent User State in Your ASP.NET
Application"
http://msdn.microsoft.com/msdnmag/issues/03/04/ASPNETUserState/toc.asp?frame
=true

Hope that helps.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Seth]

To my understanding I am not switching to a different web
application. What I do is perform a Response.Redirect to
a secure domain, once a user enters the portion of my
shopping cart which requires them to enter data. I do
this by monitoring the current requested page in the
Global.asax.cs Application_BeginRequest function. If the
requested page is within the section that I deem should
be secure I do a Redirect to that page by way of a secure
domain. The only thing that is happening is that I am
switching domains, or the path by which I access the
application files; I am still accessing the exact same
application files, with the same instance of the browser.

Some background on why and what I'm doing. I have
created a shopping cart for an ecommerce site.
Previously the whole shopping cart was running on one
domain, which was all non-secure, everything worked
fine. Once I began Redirecting to the secure domain, I
had to pass the cartID from the non-secure domain to the
secure domain (because to my understanding you cannot
access a cookie that was created on a different domain),
and create another cookie with that cartID in said secure
domain. I don't want to delete the non-secure cookie at
this time because if the user backs out of the cart say
with the browsers back button, I still want their cart to
have Items in it. So I was trying to do is save a
Request from the non-secure domain in the Session object
so that I could use it when the user has completed their
transaction to remove the non-secure cookie. I can not
redirect back to the non-secure domain to do this for
various other reasons. I would also like to remove a few
session variables created in the non-secure domain from
the secure domain after the whole transaction has
occurred.

 

[Yan-Hong Huang[MSFT]]

Hello Seth,

After you call Response.Redirect to the new secure page, you noticed the
session ID is changed, right? Could you please check the value of each
variable stored in session to see whether their value is changed or not?
If they are changed, I think they belongs to different web applications. In
one web application, the session ID won't be changed automatically.

I suggest you look into one good sample at
http://www.asp.net/Default.aspx?tabindex=9&tabid=47. It has an ecommerce
storefront application complete with shopping cart, product catalog, and a
web service to submit orders. I think it could be helpful to you.

Thanks and please post here if you have any more concerns.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Seth]

All variables that I have set in the session object are
null or dont exsist once I have gone to the secure
domain. I am not changing to a different application
because before I began redirecting to the secure domain,
I was just redirecting to a different page on the same
domain, and all session variables, and the id, were
persisting. The only thing that I have changed is the
redirection url, which is to the same page, in fact the
exact same file and location on the server, via a
different domain. I can change the redirection url back
to the non-secure path and it works just fine, but I need
it to be secure.

 

[Yan-Hong Huang[MSFT]]

Hello Seth,

******All variables that I have set in the session object are null or dont
exsist once I have gone to the secure domain.
Generally speaking, that means that you are in a different web app.

******I am not changing to a different application because before I began
redirecting to the secure domain, I was just redirecting to a different
page on the same domain, and all session variables, and the id, were
persisting.
What is the meaning of same domain here? Could you please post the URL here?

******The only thing that I have changed is the redirection url, which is
to the same page, in fact the exact same file and location on the server,
via a different domain.
Could you please describe more on different domain here? If it is the same
page, what is the meaning of same page in different domain here? Is the URL
changed? Please also post the URL.

Thanks very much and look forward to your response.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Seth]

Ok I think I see my misunderstanding of the situation. I
am accessing the exact same files, dlls and so on, but
they are indeed different apps according to IIS because
they are two different virtual directories. OK, I see
the light; my problem derives from bureaucracies above
me, having to use two separate apps, not the framework
itself.
Thank you for your responses as they lead to me
understanding what was really going on.

 

[Yan-Hong Huang[MSFT]]

Hi Seth,

I am glad that the question is clear now. It is my pleature to be of
assistance. If you have any more questions, please feel free to post in the
group.

Thanks very much for participating the community.

Best regards,
Yanhong Huang
Microsoft Community Support

Get Secure! ¨C www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.