Solved

Losing session over SSL to Non SSL

Posted on 2004-04-06
7
553 Views
Last Modified: 2012-08-14
I have an application where the customer logs in securely and a session is set to identify them as wholesale or retail.
When they log in, if the WHOLESALE field in their database record is "W" then we set the session("wholesale") = "W"

Problem is after leaving the secure area to view products, they lose the wholesale satus.

The SSL folder is above the root and contains duplicate files of the application under the root.  The header file which is included in each document has the following code:

<% if session("wholesale") = "W" then %>
<p align="center"><font size="1"><font face="Arial">You are logged in as a Wholesale Customer.</font></font>
<% else %>
<% end if %>                              

The path to the application is as such:         http://www.myapplication.com/
The path to the SSL/secure site is as such:  https://secure.dnsracks.com/myapplication-com/

If you could be so kind to assist me, I would appreciate it...going to take a Tylenol on this mind boggler myself.
0
Comment
Question by:geneane
  • 5
7 Comments
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771781
It could be the fact that the URL's are configured using different domain names. As far as i know, cookies are specific to domain names. You cant access the cookie created by one site from another site. Since sessions depend on user cookies, your sessions might be lost between the URL switches.

You can try using something like a cookie munger to overcome the cookie issue.

Here is another article i came across that might be useful for you.
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0178.html

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771866
BTW.. Have you configured the SSL & non SSL sites as two separate Applications / Virtual directories?. Do you have separate Global.asa configured for each?. If so, the sessions would not be persisted over the URL switches.

http://support.jodohost.com/showthread.php?p=9971

Cheers!!
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 10771889
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:BChan
ID: 10771903
Session variables cannot be shared across domains even mydomain.com www.mydomain.com This is due to the way in which IIS stores the Session.

A down and dirty approach, whic is not secure  is to set up hand shake page,  built for the specific purpose of setting these variables.


https://secure.dnsracks.com/myapplication-com/login.asp
<%
'User has Loged.
'''Set session variables
Response.Redirect ("http://www.myapplication.com/SessionHandShake.asp?UID=" & dbUID)
%>

http://www.myapplication.com/SessionHandShake.asp?
<%
IF REQUEST.ServerVariables("Http_Reffer") = 'https://secure.dnsracks.com/myapplication-com/login.asp' THEN  
'This simple crenditials chack is not appropiate for  highly secure data
'''''''''''''''''''''''
'Repeat  Session Variable checking From Database  using REquest("dbUID")
''''
''send to thank you Page
RESPONSE.Redirect("https://secure.dnsracks.com/myapplication-com/loginComplete.asp")

END IF
%>

The other option is to move the information to a database. In this case, you would need to do lookups on the data based on IP and the user agent. Insead of looking for the info in the SESSION object, you would query the database.

However, once you move this information from the SESSION and you need to concern youself with ways that people can steal another's Identity, As is possible with the first option I presented. This may be considered an appropiate risk if  the information is not sensitive, but it has the potentioal to be disasterous.

Your Most secure option is to use https://www.myapplication.com/SecureSite/
But this is not always possible.

Hope this was useful.
BChan
0
 
LVL 21

Accepted Solution

by:
ap_sajith earned 500 total points
ID: 11020998
Hi,
Any Updates?. Do you need any further assistance with this?. Please close this question if no further assistance is needed.
If you need help closing this question, please refer to http://www.experts-exchange.com/help.jsp#hs5 on how to close a question.

Cheers!!
0
 
LVL 1

Author Comment

by:geneane
ID: 11022154
This was solved by other means.
0
 
LVL 21

Expert Comment

by:ap_sajith
ID: 11025747
Could you please post this 'Other Means' so that it would be useful for others that face a similar situation.
It would also greatly help us learn something new here.

Cheers!!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now