Sessions & SSL

  • Thread starter John Hamilton via .NET 247
  • Start date
J

John Hamilton via .NET 247

Hello. Here's my problem. I have an e-commerce site with alogin & checkout pages needing to be secure. To enforce thesepages to be ssl I simply put in the page load:

If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace("http:","https:"))
End If

Now this works fine as long as cookieless is false. I'm finewith that. The only problem is IE gives a popup warning thatthe certificate name doesn't match the site. This is becausethe original page server_host is setup as www.abcdef.com, andthe common name on the ssl is only abcdef.com (no www).

Now if I change my redirect code to this:
If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace("http://" &Request.ServerVariables("HTTP_HOST"), "https://abcdef.com"))
End If

A new session is created because the server_host is different,and all information from the previous http session isunavailable in the new https session. I could force all pagesto use the common name as the host, but this is not ideal. Eventually I'd like to use a shared ssl server (on the samemachine). Is there any way around this without serializing allmy objects and storing them in cookies?

Thanks!
 
P

Paul Glavich [MVP - ASP.NET]

SSL works by using host affinity and there is not much way around this
without perhaps having one site as a "subite" of the other. So one would be
the main site, and the other might be a virtual directory that exists
beneath the main site, thus enabling the subite to utilise the same
certificate.


HTH,
--
- Paul Glavich
Microsoft MVP - ASP.NET


Hello. Here's my problem. I have an e-commerce site with a login &
checkout pages needing to be secure. To enforce these pages to be ssl I
simply put in the page load:

If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace("http:", "https:"))
End If

Now this works fine as long as cookieless is false. I'm fine with that.
The only problem is IE gives a popup warning that the certificate name
doesn't match the site. This is because the original page server_host is
setup as www.abcdef.com, and the common name on the ssl is only abcdef.com
(no www).

Now if I change my redirect code to this:
If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace("http://" &
Request.ServerVariables("HTTP_HOST"), "https://abcdef.com"))
End If

A new session is created because the server_host is different, and all
information from the previous http session is unavailable in the new https
session. I could force all pages to use the common name as the host, but
this is not ideal. Eventually I'd like to use a shared ssl server (on the
same machine). Is there any way around this without serializing all my
objects and storing them in cookies?

Thanks!
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to fix ssl.SSLError: [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:2570) 0
How to retrive payment result value after secure paytabs payment done in PayTabs payment gateway in asp.net 0
How to have two html audio players on one page? 0
probing SSL websites 1
Redirect Loop? 3
Checking if SSL is enabled 0
ssl secret key available to asp.net page? 0
SSL problem 0

Members online

Total: 38 (members: 3, guests: 35)
Robots: 194

Forum statistics

Threads
473,774
Messages
2,569,598
Members
45,160
Latest member
CollinStri

Latest Threads

Top