Solved

Losing session over SSL to Non SSL

Posted on 2004-04-06
7
562 Views
Last Modified: 2012-08-14
I have an application where the customer logs in securely and a session is set to identify them as wholesale or retail.
When they log in, if the WHOLESALE field in their database record is "W" then we set the session("wholesale") = "W"

Problem is after leaving the secure area to view products, they lose the wholesale satus.

The SSL folder is above the root and contains duplicate files of the application under the root.  The header file which is included in each document has the following code:

<% if session("wholesale") = "W" then %>
<p align="center"><font size="1"><font face="Arial">You are logged in as a Wholesale Customer.</font></font>
<% else %>
<% end if %>                              

The path to the application is as such:         http://www.myapplication.com/
The path to the SSL/secure site is as such:  https://secure.dnsracks.com/myapplication-com/

If you could be so kind to assist me, I would appreciate it...going to take a Tylenol on this mind boggler myself.
0
Comment
Question by:geneane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771781
It could be the fact that the URL's are configured using different domain names. As far as i know, cookies are specific to domain names. You cant access the cookie created by one site from another site. Since sessions depend on user cookies, your sessions might be lost between the URL switches.

You can try using something like a cookie munger to overcome the cookie issue.

Here is another article i came across that might be useful for you.
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0178.html

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771866
BTW.. Have you configured the SSL & non SSL sites as two separate Applications / Virtual directories?. Do you have separate Global.asa configured for each?. If so, the sessions would not be persisted over the URL switches.

http://support.jodohost.com/showthread.php?p=9971

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771889
0
MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

 
LVL 4

Expert Comment

by:BChan
ID: 10771903
Session variables cannot be shared across domains even mydomain.com www.mydomain.com This is due to the way in which IIS stores the Session.

A down and dirty approach, whic is not secure  is to set up hand shake page,  built for the specific purpose of setting these variables.


https://secure.dnsracks.com/myapplication-com/login.asp
<%
'User has Loged.
'''Set session variables
Response.Redirect ("http://www.myapplication.com/SessionHandShake.asp?UID=" & dbUID)
%>

http://www.myapplication.com/SessionHandShake.asp?
<%
IF REQUEST.ServerVariables("Http_Reffer") = 'https://secure.dnsracks.com/myapplication-com/login.asp' THEN  
'This simple crenditials chack is not appropiate for  highly secure data
'''''''''''''''''''''''
'Repeat  Session Variable checking From Database  using REquest("dbUID")
''''
''send to thank you Page
RESPONSE.Redirect("https://secure.dnsracks.com/myapplication-com/loginComplete.asp")

END IF
%>

The other option is to move the information to a database. In this case, you would need to do lookups on the data based on IP and the user agent. Insead of looking for the info in the SESSION object, you would query the database.

However, once you move this information from the SESSION and you need to concern youself with ways that people can steal another's Identity, As is possible with the first option I presented. This may be considered an appropiate risk if  the information is not sensitive, but it has the potentioal to be disasterous.

Your Most secure option is to use https://www.myapplication.com/SecureSite/
But this is not always possible.

Hope this was useful.
BChan
0
 
LVL 21

Accepted Solution

by:
ap_sajith earned 500 total points
ID: 11020998
Hi,
Any Updates?. Do you need any further assistance with this?. Please close this question if no further assistance is needed.
If you need help closing this question, please refer to http://www.experts-exchange.com/help.jsp#hs5 on how to close a question.

Cheers!!
0
 
LVL 1

Author Comment

by:geneane
ID: 11022154
This was solved by other means.
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 11025747
Could you please post this 'Other Means' so that it would be useful for others that face a similar situation.
It would also greatly help us learn something new here.

Cheers!!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
asp syntax 3 67
JS does not refresh 6 40
Making Table Thru ASP Response.write 5 19
add 'N to prepared ASP/VB insert statement 1 12
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question