Keeping session variables upon leaving SSL-enabled page

Will session variables be destroyed when netvigating pages that are composed of SSL-enabled page and unsecured html page?
kenchan2000Asked:
Who is Participating?
 
Michel SakrConnect With a Mentor Commented:
between pages in the same site no.. between other sites yes
0
 
DirkVeCommented:
I don't think so. But 'theoretical' it's impossible to access session variables that belong to another site. But you know how secure MS tools are (ever heard of a MS bug; sorry I'm quite sarcastic here).

It's always best to close your browser before you go to unsecure pages. When you open a new browser (and I mean closing ALL browser windows and restarting your IE or other browser by clicking on the icon) then all session variables are CERTAINLY gone.
0
 
DirkVeCommented:
Session variables will not be destroyed if you navigate. Only when you close your browser.

You can test it yourself if you have a mail-account at hotmail or any other mail-site that has SSL. When you're logged in in hotmail and go to other sites, to return after a while to homail, you'll see that you don't have to login again. Of course, if you didn't visit hotmail for some time, then they are gone since your session will expire. You can also write some cleanup-code in the global.asa in you session_onEnd. But better test if this works correct to be sure.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
TTomCommented:
Session variables are stored on the web server.  They will remain in existence until the session is either abandonned (Session.Abandon) or until it times out.  However, in order to access those variables once the user has left the page, the Session ID would need to be recovered.  If the browser has not been closed ,the session cookie which identifies that user will remain in memory, and navigating back to the site should reestablish the session.

Another user (another browser session?) would have to "spoof" the previous session in order to recover the existing session variables.  Probably not impossible.

Tom
0
 
DirkVeCommented:
100% right Tom.

The session-variables are stored on the server and will be matched with the session-id that is in a temporary cookie on the client (browser). A second browser means another session-id also.

It was good to say "probably not possible" when you talked about 'spoofing' the session-id. BUT, there have been some bugs in earlier versions where it was possible to 'capture' a certain session-id. In the newest versions of IIS it "shouldn't" be possible.

So, the most important is that a session variable is in fact a temporary cookie on your machine. Maybe it's worth reading something about cookies, so have a look at
www.cookiecentral.com
0
 
DirkVeCommented:
Why do you ask questions and then rate the person who gives a wrong answer. If you don't like to receive a correct answer, then don't use experts exchange please.

I guess you just didn't test it.
0
 
Michel SakrCommented:
DirkVe if you read my comment cearfully you'll see that my comment is not wrong.. Sessions are not destroyed between SSL / unencripted browsing in the same application.. that means if the user navigates to an SSL page in the same application and a session variable is created there then it will be viewed in other pages without SSL in the same application since the Session variables have the scope of the whole application.. if the SSL is made to another application (not under the main application ) and a session variable is created there then it will have the scope of that application thus it won't be viewed in the main site.. this was the point..


Hope you won't fire arrows before thinking next time
rgrds
0
 
DirkVeCommented:
I've read your comment ("between pages in the same site no.. between other sites yes ") carefully and I also did with the last one.

But still, I have another opinion probably because we think in a different content. As you say in you last comment, a session variable can not be seen if you go to another application because it's out of scope. But, when you browse back to the secure site, you'll still be have those session-variables. ANd since you're back in scope now, you'll see them also. So, that's why I say that session-variables are NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed.

In the conetxt of the question, I think that kenchan2000 wants to be if it is secure to browse from SSL to a non-protected site. Since session-variables are not destroyed it can be possible to capture these (this was also a known bug from MS which is fixed now).

So, what's your answer to my point of view?

PS: This comment is not ment to chase points or to attack you personaly. It's just to ask your opinion and to learn from it in case I'm wrong. That's why I use EE: to help and to learn from others.

CHeers
0
 
Michel SakrCommented:
I see the context of his question differently.. he wants to see if he creates session variables in an SSL area in his site , can he use them in the unsecure area? like when you log in.. you pass you credentials (username password) using ssl .. in that area if the login is successfule a session variable is populated can he use it in non ssl pages also? ...
It's not a security issue since session variables are stored on the server so there is no way for someone to fetch them..


>"..But, when you browse back to the secure site, you'll still be have those session-variables. ANd
since you're back in scope now, you'll see them also. So, that's why I say that session-variables are
NOT destroyed, even NOT when you browse to other sites. Not visible is not the same as destroyed...."

Here I see you are out of scope.. You are correct but this is not directly related to the question..
0
 
DirkVeCommented:
Ok, I interpreted this in another context: security.

Thanks for clearing this out.

Topic closed.
0
 
Michel SakrCommented:
Cheers ;o)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.