Solved

Losing session over SSL to Non SSL

Posted on 2004-04-06
7
561 Views
Last Modified: 2012-08-14
I have an application where the customer logs in securely and a session is set to identify them as wholesale or retail.
When they log in, if the WHOLESALE field in their database record is "W" then we set the session("wholesale") = "W"

Problem is after leaving the secure area to view products, they lose the wholesale satus.

The SSL folder is above the root and contains duplicate files of the application under the root.  The header file which is included in each document has the following code:

<% if session("wholesale") = "W" then %>
<p align="center"><font size="1"><font face="Arial">You are logged in as a Wholesale Customer.</font></font>
<% else %>
<% end if %>                              

The path to the application is as such:         http://www.myapplication.com/
The path to the SSL/secure site is as such:  https://secure.dnsracks.com/myapplication-com/

If you could be so kind to assist me, I would appreciate it...going to take a Tylenol on this mind boggler myself.
0
Comment
Question by:geneane
  • 5
7 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771781
It could be the fact that the URL's are configured using different domain names. As far as i know, cookies are specific to domain names. You cant access the cookie created by one site from another site. Since sessions depend on user cookies, your sessions might be lost between the URL switches.

You can try using something like a cookie munger to overcome the cookie issue.

Here is another article i came across that might be useful for you.
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0178.html

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771866
BTW.. Have you configured the SSL & non SSL sites as two separate Applications / Virtual directories?. Do you have separate Global.asa configured for each?. If so, the sessions would not be persisted over the URL switches.

http://support.jodohost.com/showthread.php?p=9971

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771889
0
Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

 
LVL 4

Expert Comment

by:BChan
ID: 10771903
Session variables cannot be shared across domains even mydomain.com www.mydomain.com This is due to the way in which IIS stores the Session.

A down and dirty approach, whic is not secure  is to set up hand shake page,  built for the specific purpose of setting these variables.


https://secure.dnsracks.com/myapplication-com/login.asp
<%
'User has Loged.
'''Set session variables
Response.Redirect ("http://www.myapplication.com/SessionHandShake.asp?UID=" & dbUID)
%>

http://www.myapplication.com/SessionHandShake.asp?
<%
IF REQUEST.ServerVariables("Http_Reffer") = 'https://secure.dnsracks.com/myapplication-com/login.asp' THEN  
'This simple crenditials chack is not appropiate for  highly secure data
'''''''''''''''''''''''
'Repeat  Session Variable checking From Database  using REquest("dbUID")
''''
''send to thank you Page
RESPONSE.Redirect("https://secure.dnsracks.com/myapplication-com/loginComplete.asp")

END IF
%>

The other option is to move the information to a database. In this case, you would need to do lookups on the data based on IP and the user agent. Insead of looking for the info in the SESSION object, you would query the database.

However, once you move this information from the SESSION and you need to concern youself with ways that people can steal another's Identity, As is possible with the first option I presented. This may be considered an appropiate risk if  the information is not sensitive, but it has the potentioal to be disasterous.

Your Most secure option is to use https://www.myapplication.com/SecureSite/
But this is not always possible.

Hope this was useful.
BChan
0
 
LVL 21

Accepted Solution

by:
ap_sajith earned 500 total points
ID: 11020998
Hi,
Any Updates?. Do you need any further assistance with this?. Please close this question if no further assistance is needed.
If you need help closing this question, please refer to http://www.experts-exchange.com/help.jsp#hs5 on how to close a question.

Cheers!!
0
 
LVL 1

Author Comment

by:geneane
ID: 11022154
This was solved by other means.
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 11025747
Could you please post this 'Other Means' so that it would be useful for others that face a similar situation.
It would also greatly help us learn something new here.

Cheers!!
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

838 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question