Sharing Session state over secure / non-secure requests

D

Daniel Malcolm

Hi

I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.

We have SSL set up on the site so that it can be accessed via the same
domain:

http://www.mydomain.com/login.aspx
https://www.mydomain.com/login.aspx

I understand that the change in protocol might cause the session cookie
created when the site is accessed via http to be hidden when the same site
is accessed via https.

I've also tried running cookieless sessions so that the Session identifier
is stored in the URL. However Session state does not appear to be shared
across the different protocols. It looks like a new Session is started when
the site is accessed via https, as any persisted data cannot be retrieved.

Is a site running under SSL treated as a separate Application by ASP.net
with its own Session scope? If so, is there anything that can be done to
resolve this?

The alternative seems to be to craete a transfer page where data that needs
to be passed between 2 sessions is stored in a database and identified via a
guid. The new Session can then be initialised (and the stored data reset to
prevent further requests hijacking another person's Session).

Thanks in advance for any suggestions

Daniel
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,731
Messages
2,569,432
Members
44,832
Latest member
GlennSmall

Latest Threads

Top