[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Losing session over SSL to Non SSL

Posted on 2004-04-06
7
Medium Priority
?
572 Views
Last Modified: 2012-08-14
I have an application where the customer logs in securely and a session is set to identify them as wholesale or retail.
When they log in, if the WHOLESALE field in their database record is "W" then we set the session("wholesale") = "W"

Problem is after leaving the secure area to view products, they lose the wholesale satus.

The SSL folder is above the root and contains duplicate files of the application under the root.  The header file which is included in each document has the following code:

<% if session("wholesale") = "W" then %>
<p align="center"><font size="1"><font face="Arial">You are logged in as a Wholesale Customer.</font></font>
<% else %>
<% end if %>                              

The path to the application is as such:         http://www.myapplication.com/
The path to the SSL/secure site is as such:  https://secure.dnsracks.com/myapplication-com/

If you could be so kind to assist me, I would appreciate it...going to take a Tylenol on this mind boggler myself.
0
Comment
Question by:geneane
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
7 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771781
It could be the fact that the URL's are configured using different domain names. As far as i know, cookies are specific to domain names. You cant access the cookie created by one site from another site. Since sessions depend on user cookies, your sessions might be lost between the URL switches.

You can try using something like a cookie munger to overcome the cookie issue.

Here is another article i came across that might be useful for you.
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0178.html

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771866
BTW.. Have you configured the SSL & non SSL sites as two separate Applications / Virtual directories?. Do you have separate Global.asa configured for each?. If so, the sessions would not be persisted over the URL switches.

http://support.jodohost.com/showthread.php?p=9971

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771889
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Expert Comment

by:BChan
ID: 10771903
Session variables cannot be shared across domains even mydomain.com www.mydomain.com This is due to the way in which IIS stores the Session.

A down and dirty approach, whic is not secure  is to set up hand shake page,  built for the specific purpose of setting these variables.


https://secure.dnsracks.com/myapplication-com/login.asp
<%
'User has Loged.
'''Set session variables
Response.Redirect ("http://www.myapplication.com/SessionHandShake.asp?UID=" & dbUID)
%>

http://www.myapplication.com/SessionHandShake.asp?
<%
IF REQUEST.ServerVariables("Http_Reffer") = 'https://secure.dnsracks.com/myapplication-com/login.asp' THEN  
'This simple crenditials chack is not appropiate for  highly secure data
'''''''''''''''''''''''
'Repeat  Session Variable checking From Database  using REquest("dbUID")
''''
''send to thank you Page
RESPONSE.Redirect("https://secure.dnsracks.com/myapplication-com/loginComplete.asp")

END IF
%>

The other option is to move the information to a database. In this case, you would need to do lookups on the data based on IP and the user agent. Insead of looking for the info in the SESSION object, you would query the database.

However, once you move this information from the SESSION and you need to concern youself with ways that people can steal another's Identity, As is possible with the first option I presented. This may be considered an appropiate risk if  the information is not sensitive, but it has the potentioal to be disasterous.

Your Most secure option is to use https://www.myapplication.com/SecureSite/
But this is not always possible.

Hope this was useful.
BChan
0
 
LVL 21

Accepted Solution

by:
ap_sajith earned 1000 total points
ID: 11020998
Hi,
Any Updates?. Do you need any further assistance with this?. Please close this question if no further assistance is needed.
If you need help closing this question, please refer to http://www.experts-exchange.com/help.jsp#hs5 on how to close a question.

Cheers!!
0
 
LVL 1

Author Comment

by:geneane
ID: 11022154
This was solved by other means.
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 11025747
Could you please post this 'Other Means' so that it would be useful for others that face a similar situation.
It would also greatly help us learn something new here.

Cheers!!
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:   The Exchange of informatio…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question