Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Keeping session variables upon leaving SSL-enabled page

Posted on 2001-07-24
11
Medium Priority
?
341 Views
Last Modified: 2012-08-13
Will session variables be destroyed when netvigating pages that are composed of SSL-enabled page and unsecured html page?
0
Comment
Question by:kenchan2000
  • 6
  • 4
11 Comments
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312154
I don't think so. But 'theoretical' it's impossible to access session variables that belong to another site. But you know how secure MS tools are (ever heard of a MS bug; sorry I'm quite sarcastic here).

It's always best to close your browser before you go to unsecure pages. When you open a new browser (and I mean closing ALL browser windows and restarting your IE or other browser by clicking on the icon) then all session variables are CERTAINLY gone.
0
 
LVL 20

Accepted Solution

by:
Michel Sakr earned 40 total points
ID: 6312403
between pages in the same site no.. between other sites yes
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312431
Session variables will not be destroyed if you navigate. Only when you close your browser.

You can test it yourself if you have a mail-account at hotmail or any other mail-site that has SSL. When you're logged in in hotmail and go to other sites, to return after a while to homail, you'll see that you don't have to login again. Of course, if you didn't visit hotmail for some time, then they are gone since your session will expire. You can also write some cleanup-code in the global.asa in you session_onEnd. But better test if this works correct to be sure.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 9

Expert Comment

by:TTom
ID: 6312750
Session variables are stored on the web server.  They will remain in existence until the session is either abandonned (Session.Abandon) or until it times out.  However, in order to access those variables once the user has left the page, the Session ID would need to be recovered.  If the browser has not been closed ,the session cookie which identifies that user will remain in memory, and navigating back to the site should reestablish the session.

Another user (another browser session?) would have to "spoof" the previous session in order to recover the existing session variables.  Probably not impossible.

Tom
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6312855
100% right Tom.

The session-variables are stored on the server and will be matched with the session-id that is in a temporary cookie on the client (browser). A second browser means another session-id also.

It was good to say "probably not possible" when you talked about 'spoofing' the session-id. BUT, there have been some bugs in earlier versions where it was possible to 'capture' a certain session-id. In the newest versions of IIS it "shouldn't" be possible.

So, the most important is that a session variable is in fact a temporary cookie on your machine. Maybe it's worth reading something about cookies, so have a look at
www.cookiecentral.com
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6320926
Why do you ask questions and then rate the person who gives a wrong answer. If you don't like to receive a correct answer, then don't use experts exchange please.

I guess you just didn't test it.
0
 
LVL 20

Expert Comment

by:Michel Sakr
ID: 6358534
DirkVe if you read my comment cearfully you'll see that my comment is not wrong.. Sessions are not destroyed between SSL / unencripted browsing in the same application.. that means if the user navigates to an SSL page in the same application and a session variable is created there then it will be viewed in other pages without SSL in the same application since the Session variables have the scope of the whole application.. if the SSL is made to another application (not under the main application ) and a session variable is created there then it will have the scope of that application thus it won't be viewed in the main site.. this was the point..


Hope you won't fire arrows before thinking next time
rgrds
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6358878
I've read your comment ("between pages in the same site no.. between other sites yes ") carefully and I also did with the last one.

But still, I have another opinion probably because we think in a different content. As you say in you last comment, a session variable can not be seen if you go to another application because it's out of scope. But, when you browse back to the secure site, you'll still be have those session-variables. ANd since you're back in scope now, you'll see them also. So, that's why I say that session-variables are NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed.

In the conetxt of the question, I think that kenchan2000 wants to be if it is secure to browse from SSL to a non-protected site. Since session-variables are not destroyed it can be possible to capture these (this was also a known bug from MS which is fixed now).

So, what's your answer to my point of view?

PS: This comment is not ment to chase points or to attack you personaly. It's just to ask your opinion and to learn from it in case I'm wrong. That's why I use EE: to help and to learn from others.

CHeers
0
 
LVL 20

Expert Comment

by:Michel Sakr
ID: 6358948
I see the context of his question differently.. he wants to see if he creates session variables in an SSL area in his site , can he use them in the unsecure area? like when you log in.. you pass you credentials (username password) using ssl .. in that area if the login is successfule a session variable is populated can he use it in non ssl pages also? ...
It's not a security issue since session variables are stored on the server so there is no way for someone to fetch them..


>"..But, when you browse back to the secure site, you'll still be have those session-variables. ANd
since you're back in scope now, you'll see them also. So, that's why I say that session-variables are
NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed...."

Here I see you are out of scope.. You are correct but this is not directly related to the question..
0
 
LVL 2

Expert Comment

by:DirkVe
ID: 6359032
Ok, I interpreted this in another context: security.

Thanks for clearing this out.

Topic closed.
0
 
LVL 20

Expert Comment

by:Michel Sakr
ID: 6359053
Cheers ;o)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Suggested Courses

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question