D
Daniel Malcolm
Hi
I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.
We have SSL set up on the site so that it can be accessed via the same
domain:
http://www.mydomain.com/login.aspx
https://www.mydomain.com/login.aspx
I understand that the change in protocol might cause the session cookie
created when the site is accessed via http to be hidden when the same site
is accessed via https.
I've also tried running cookieless sessions so that the Session identifier
is stored in the URL. However Session state does not appear to be shared
across the different protocols. It looks like a new Session is started when
the site is accessed via https, as any persisted data cannot be retrieved.
Is a site running under SSL treated as a separate Application by ASP.net
with its own Session scope? If so, is there anything that can be done to
resolve this?
The alternative seems to be to craete a transfer page where data that needs
to be passed between 2 sessions is stored in a database and identified via a
guid. The new Session can then be initialised (and the stored data reset to
prevent further requests hijacking another person's Session).
Thanks in advance for any suggestions
Daniel
I have a site where I would like some pages to be accessed via SSL (login
and payment etc) and others via regular http. However I'm not sure whether
Session state can be maintained between the 2 protocols.
We have SSL set up on the site so that it can be accessed via the same
domain:
http://www.mydomain.com/login.aspx
https://www.mydomain.com/login.aspx
I understand that the change in protocol might cause the session cookie
created when the site is accessed via http to be hidden when the same site
is accessed via https.
I've also tried running cookieless sessions so that the Session identifier
is stored in the URL. However Session state does not appear to be shared
across the different protocols. It looks like a new Session is started when
the site is accessed via https, as any persisted data cannot be retrieved.
Is a site running under SSL treated as a separate Application by ASP.net
with its own Session scope? If so, is there anything that can be done to
resolve this?
The alternative seems to be to craete a transfer page where data that needs
to be passed between 2 sessions is stored in a database and identified via a
guid. The new Session can then be initialised (and the stored data reset to
prevent further requests hijacking another person's Session).
Thanks in advance for any suggestions
Daniel