Solved

Keeping session variables upon leaving SSL-enabled page

Posted on 2001-07-24
11
331 Views
Last Modified: 2012-08-13
Will session variables be destroyed when netvigating pages that are composed of SSL-enabled page and unsecured html page?
0
Comment
Question by:kenchan2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
11 Comments
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312154
I don't think so. But 'theoretical' it's impossible to access session variables that belong to another site. But you know how secure MS tools are (ever heard of a MS bug; sorry I'm quite sarcastic here).

It's always best to close your browser before you go to unsecure pages. When you open a new browser (and I mean closing ALL browser windows and restarting your IE or other browser by clicking on the icon) then all session variables are CERTAINLY gone.
0
 
LVL 20

Accepted Solution

by:
Silvers5 earned 10 total points
ID: 6312403
between pages in the same site no.. between other sites yes
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312431
Session variables will not be destroyed if you navigate. Only when you close your browser.

You can test it yourself if you have a mail-account at hotmail or any other mail-site that has SSL. When you're logged in in hotmail and go to other sites, to return after a while to homail, you'll see that you don't have to login again. Of course, if you didn't visit hotmail for some time, then they are gone since your session will expire. You can also write some cleanup-code in the global.asa in you session_onEnd. But better test if this works correct to be sure.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 9

Expert Comment

by:TTom
ID: 6312750
Session variables are stored on the web server.  They will remain in existence until the session is either abandonned (Session.Abandon) or until it times out.  However, in order to access those variables once the user has left the page, the Session ID would need to be recovered.  If the browser has not been closed ,the session cookie which identifies that user will remain in memory, and navigating back to the site should reestablish the session.

Another user (another browser session?) would have to "spoof" the previous session in order to recover the existing session variables.  Probably not impossible.

Tom
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312855
100% right Tom.

The session-variables are stored on the server and will be matched with the session-id that is in a temporary cookie on the client (browser). A second browser means another session-id also.

It was good to say "probably not possible" when you talked about 'spoofing' the session-id. BUT, there have been some bugs in earlier versions where it was possible to 'capture' a certain session-id. In the newest versions of IIS it "shouldn't" be possible.

So, the most important is that a session variable is in fact a temporary cookie on your machine. Maybe it's worth reading something about cookies, so have a look at
www.cookiecentral.com
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6320926
Why do you ask questions and then rate the person who gives a wrong answer. If you don't like to receive a correct answer, then don't use experts exchange please.

I guess you just didn't test it.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6358534
DirkVe if you read my comment cearfully you'll see that my comment is not wrong.. Sessions are not destroyed between SSL / unencripted browsing in the same application.. that means if the user navigates to an SSL page in the same application and a session variable is created there then it will be viewed in other pages without SSL in the same application since the Session variables have the scope of the whole application.. if the SSL is made to another application (not under the main application ) and a session variable is created there then it will have the scope of that application thus it won't be viewed in the main site.. this was the point..


Hope you won't fire arrows before thinking next time
rgrds
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6358878
I've read your comment ("between pages in the same site no.. between other sites yes ") carefully and I also did with the last one.

But still, I have another opinion probably because we think in a different content. As you say in you last comment, a session variable can not be seen if you go to another application because it's out of scope. But, when you browse back to the secure site, you'll still be have those session-variables. ANd since you're back in scope now, you'll see them also. So, that's why I say that session-variables are NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed.

In the conetxt of the question, I think that kenchan2000 wants to be if it is secure to browse from SSL to a non-protected site. Since session-variables are not destroyed it can be possible to capture these (this was also a known bug from MS which is fixed now).

So, what's your answer to my point of view?

PS: This comment is not ment to chase points or to attack you personaly. It's just to ask your opinion and to learn from it in case I'm wrong. That's why I use EE: to help and to learn from others.

CHeers
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6358948
I see the context of his question differently.. he wants to see if he creates session variables in an SSL area in his site , can he use them in the unsecure area? like when you log in.. you pass you credentials (username password) using ssl .. in that area if the login is successfule a session variable is populated can he use it in non ssl pages also? ...
It's not a security issue since session variables are stored on the server so there is no way for someone to fetch them..


>"..But, when you browse back to the secure site, you'll still be have those session-variables. ANd
since you're back in scope now, you'll see them also. So, that's why I say that session-variables are
NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed...."

Here I see you are out of scope.. You are correct but this is not directly related to the question..
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6359032
Ok, I interpreted this in another context: security.

Thanks for clearing this out.

Topic closed.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6359053
Cheers ;o)
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Questions about INCLUDE FILES 2 46
FileUp - Classic ASP 5 27
Select case on click 3 30
return false must be hit after calling certain command 10 47
I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question