Solved

Keeping session variables upon leaving SSL-enabled page

Posted on 2001-07-24
11
292 Views
Last Modified: 2012-08-13
Will session variables be destroyed when netvigating pages that are composed of SSL-enabled page and unsecured html page?
0
Comment
Question by:kenchan2000
  • 6
  • 4
11 Comments
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312154
I don't think so. But 'theoretical' it's impossible to access session variables that belong to another site. But you know how secure MS tools are (ever heard of a MS bug; sorry I'm quite sarcastic here).

It's always best to close your browser before you go to unsecure pages. When you open a new browser (and I mean closing ALL browser windows and restarting your IE or other browser by clicking on the icon) then all session variables are CERTAINLY gone.
0
 
LVL 20

Accepted Solution

by:
Silvers5 earned 10 total points
ID: 6312403
between pages in the same site no.. between other sites yes
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312431
Session variables will not be destroyed if you navigate. Only when you close your browser.

You can test it yourself if you have a mail-account at hotmail or any other mail-site that has SSL. When you're logged in in hotmail and go to other sites, to return after a while to homail, you'll see that you don't have to login again. Of course, if you didn't visit hotmail for some time, then they are gone since your session will expire. You can also write some cleanup-code in the global.asa in you session_onEnd. But better test if this works correct to be sure.
0
 
LVL 9

Expert Comment

by:TTom
ID: 6312750
Session variables are stored on the web server.  They will remain in existence until the session is either abandonned (Session.Abandon) or until it times out.  However, in order to access those variables once the user has left the page, the Session ID would need to be recovered.  If the browser has not been closed ,the session cookie which identifies that user will remain in memory, and navigating back to the site should reestablish the session.

Another user (another browser session?) would have to "spoof" the previous session in order to recover the existing session variables.  Probably not impossible.

Tom
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312855
100% right Tom.

The session-variables are stored on the server and will be matched with the session-id that is in a temporary cookie on the client (browser). A second browser means another session-id also.

It was good to say "probably not possible" when you talked about 'spoofing' the session-id. BUT, there have been some bugs in earlier versions where it was possible to 'capture' a certain session-id. In the newest versions of IIS it "shouldn't" be possible.

So, the most important is that a session variable is in fact a temporary cookie on your machine. Maybe it's worth reading something about cookies, so have a look at
www.cookiecentral.com
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Expert Comment

by:DirkVe
ID: 6320926
Why do you ask questions and then rate the person who gives a wrong answer. If you don't like to receive a correct answer, then don't use experts exchange please.

I guess you just didn't test it.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6358534
DirkVe if you read my comment cearfully you'll see that my comment is not wrong.. Sessions are not destroyed between SSL / unencripted browsing in the same application.. that means if the user navigates to an SSL page in the same application and a session variable is created there then it will be viewed in other pages without SSL in the same application since the Session variables have the scope of the whole application.. if the SSL is made to another application (not under the main application ) and a session variable is created there then it will have the scope of that application thus it won't be viewed in the main site.. this was the point..


Hope you won't fire arrows before thinking next time
rgrds
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6358878
I've read your comment ("between pages in the same site no.. between other sites yes ") carefully and I also did with the last one.

But still, I have another opinion probably because we think in a different content. As you say in you last comment, a session variable can not be seen if you go to another application because it's out of scope. But, when you browse back to the secure site, you'll still be have those session-variables. ANd since you're back in scope now, you'll see them also. So, that's why I say that session-variables are NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed.

In the conetxt of the question, I think that kenchan2000 wants to be if it is secure to browse from SSL to a non-protected site. Since session-variables are not destroyed it can be possible to capture these (this was also a known bug from MS which is fixed now).

So, what's your answer to my point of view?

PS: This comment is not ment to chase points or to attack you personaly. It's just to ask your opinion and to learn from it in case I'm wrong. That's why I use EE: to help and to learn from others.

CHeers
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6358948
I see the context of his question differently.. he wants to see if he creates session variables in an SSL area in his site , can he use them in the unsecure area? like when you log in.. you pass you credentials (username password) using ssl .. in that area if the login is successfule a session variable is populated can he use it in non ssl pages also? ...
It's not a security issue since session variables are stored on the server so there is no way for someone to fetch them..


>"..But, when you browse back to the secure site, you'll still be have those session-variables. ANd
since you're back in scope now, you'll see them also. So, that's why I say that session-variables are
NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed...."

Here I see you are out of scope.. You are correct but this is not directly related to the question..
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6359032
Ok, I interpreted this in another context: security.

Thanks for clearing this out.

Topic closed.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6359053
Cheers ;o)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now