IE6 XP SP2 HTTP & HTTPS Cookies problem

A kind person who tried to buy something from our website sent an email to explain that she could not enter our check out.

Windows 2000 IIS 5

http://www.outdoorgear.co.uk

When a new visitor arrives we give them cookie. IIS gives them a session ID.  Somehow when they switch from http to https they become a different person with a different cookie, but the session ID is the same. How strange is that?

So why do they have a different cookie when they are using https?

Any ideas would be very welcome.



LVL 17
inthedarkAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

meverestCommented:
Hello,

that is the expected behaviour.  cookies are linked explicitly to the web site that issues them.  The browser will never send a cokkie to another site regardless of any request.  and in this context, change from http to https is a different web site.

I'm not sure how the session state is maintained, but probably you are passing the session token between http and https (e.g. https://www.outdoorgear.co.uk?sessionID=123)

cheers,  Mike.

0
inthedarkAuthor Commented:
Hi,

if you got to the site using this link:

http://www.outdoorgear.co.uk/$svars.asp

Look at the bottom of the page at the HTTP_COOKIE value. When you first visit thge site there is no Session ID set. If you click Refresh, you will see that the HTTP_COOKIE now shows a session id.

In the same window, if you edit the link the so that the http:// becomes https:// then press enter, you will see that  you keep the same Session ID.  This means that all of the items in the session object are retained.

In the case of this lady, her Session ID is the same but we think her cookies are changing.


0
meverestCommented:
Hello,

yes, a bit of additional research compells me to retract my initial statement.  as it turns out, the base cookie identifier is just the hostname part (e.g. www.outdoorgear.co.uk) but there are several associated properties that you can set to extend the reach of that cookie.

two properties significant to your issue are "port list" whereby you may define a set of ports to which the cookie may be returned, and "secure" whereby you may define whether ssl is *required* in order to return the cookie.

i suggest that the first one will hold your solution.  when you define (i.e. set) your client cookies, refer to the technology documentation (ie javascript, asp, etc) to determine how you can add port 443 (ssl) to the 'portlist' property of the cookies.

that should then allow portability between the http and https applications (so long as the hostname does not change)

Cheers.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

inthedarkAuthor Commented:
That kinda makes sense.
0
Nelson_PiresCommented:
When you say the client got a different cookie with https are you sure they got a cookie.key.value at all? Or did they just got a cookie.key with no value set? If this is the case you may need to specify a cookie.expire, if you don't, cookies tend to not get set every now and then, don't know why, but it happened to me several times.

Also, if Session ID is maintained throughout ok, then on the secure pages, set the cookie again with the Session ID value, just to be on the safe side.

Hope it helps.
0
meverestCommented:
suggest accept meverest
0
inthedarkAuthor Commented:
We solved the problem by not using IIS session management.  We think that the web-site was over-streached, (sometimes we have 3000+ open sessions) and the lack of available memory caused IIS to do unsual things.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.