Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 575
  • Last Modified:

Losing session over SSL to Non SSL

I have an application where the customer logs in securely and a session is set to identify them as wholesale or retail.
When they log in, if the WHOLESALE field in their database record is "W" then we set the session("wholesale") = "W"

Problem is after leaving the secure area to view products, they lose the wholesale satus.

The SSL folder is above the root and contains duplicate files of the application under the root.  The header file which is included in each document has the following code:

<% if session("wholesale") = "W" then %>
<p align="center"><font size="1"><font face="Arial">You are logged in as a Wholesale Customer.</font></font>
<% else %>
<% end if %>                              

The path to the application is as such:         http://www.myapplication.com/
The path to the SSL/secure site is as such:  https://secure.dnsracks.com/myapplication-com/

If you could be so kind to assist me, I would appreciate it...going to take a Tylenol on this mind boggler myself.
0
geneane
Asked:
geneane
  • 5
1 Solution
 
ap_sajithCommented:
It could be the fact that the URL's are configured using different domain names. As far as i know, cookies are specific to domain names. You cant access the cookie created by one site from another site. Since sessions depend on user cookies, your sessions might be lost between the URL switches.

You can try using something like a cookie munger to overcome the cookie issue.

Here is another article i came across that might be useful for you.
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0178.html

Cheers!!
0
 
ap_sajithCommented:
BTW.. Have you configured the SSL & non SSL sites as two separate Applications / Virtual directories?. Do you have separate Global.asa configured for each?. If so, the sessions would not be persisted over the URL switches.

http://support.jodohost.com/showthread.php?p=9971

Cheers!!
0
Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

 
BChanCommented:
Session variables cannot be shared across domains even mydomain.com www.mydomain.com This is due to the way in which IIS stores the Session.

A down and dirty approach, whic is not secure  is to set up hand shake page,  built for the specific purpose of setting these variables.


https://secure.dnsracks.com/myapplication-com/login.asp
<%
'User has Loged.
'''Set session variables
Response.Redirect ("http://www.myapplication.com/SessionHandShake.asp?UID=" & dbUID)
%>

http://www.myapplication.com/SessionHandShake.asp?
<%
IF REQUEST.ServerVariables("Http_Reffer") = 'https://secure.dnsracks.com/myapplication-com/login.asp' THEN  
'This simple crenditials chack is not appropiate for  highly secure data
'''''''''''''''''''''''
'Repeat  Session Variable checking From Database  using REquest("dbUID")
''''
''send to thank you Page
RESPONSE.Redirect("https://secure.dnsracks.com/myapplication-com/loginComplete.asp")

END IF
%>

The other option is to move the information to a database. In this case, you would need to do lookups on the data based on IP and the user agent. Insead of looking for the info in the SESSION object, you would query the database.

However, once you move this information from the SESSION and you need to concern youself with ways that people can steal another's Identity, As is possible with the first option I presented. This may be considered an appropiate risk if  the information is not sensitive, but it has the potentioal to be disasterous.

Your Most secure option is to use https://www.myapplication.com/SecureSite/
But this is not always possible.

Hope this was useful.
BChan
0
 
ap_sajithCommented:
Hi,
Any Updates?. Do you need any further assistance with this?. Please close this question if no further assistance is needed.
If you need help closing this question, please refer to http://www.experts-exchange.com/help.jsp#hs5 on how to close a question.

Cheers!!
0
 
geneaneAuthor Commented:
This was solved by other means.
0
 
ap_sajithCommented:
Could you please post this 'Other Means' so that it would be useful for others that face a similar situation.
It would also greatly help us learn something new here.

Cheers!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now