?
Solved

IE6 XP SP2 HTTP & HTTPS Cookies problem

Posted on 2004-11-22
10
Medium Priority
?
241 Views
Last Modified: 2012-06-27
A kind person who tried to buy something from our website sent an email to explain that she could not enter our check out.

Windows 2000 IIS 5

http://www.outdoorgear.co.uk

When a new visitor arrives we give them cookie. IIS gives them a session ID.  Somehow when they switch from http to https they become a different person with a different cookie, but the session ID is the same. How strange is that?

So why do they have a different cookie when they are using https?

Any ideas would be very welcome.



0
Comment
Question by:inthedark
  • 3
  • 3
7 Comments
 
LVL 37

Expert Comment

by:meverest
ID: 12646839
Hello,

that is the expected behaviour.  cookies are linked explicitly to the web site that issues them.  The browser will never send a cokkie to another site regardless of any request.  and in this context, change from http to https is a different web site.

I'm not sure how the session state is maintained, but probably you are passing the session token between http and https (e.g. https://www.outdoorgear.co.uk?sessionID=123)

cheers,  Mike.

0
 
LVL 17

Author Comment

by:inthedark
ID: 12647260
Hi,

if you got to the site using this link:

http://www.outdoorgear.co.uk/$svars.asp

Look at the bottom of the page at the HTTP_COOKIE value. When you first visit thge site there is no Session ID set. If you click Refresh, you will see that the HTTP_COOKIE now shows a session id.

In the same window, if you edit the link the so that the http:// becomes https:// then press enter, you will see that  you keep the same Session ID.  This means that all of the items in the session object are retained.

In the case of this lady, her Session ID is the same but we think her cookies are changing.


0
 
LVL 37

Accepted Solution

by:
meverest earned 2000 total points
ID: 12648366
Hello,

yes, a bit of additional research compells me to retract my initial statement.  as it turns out, the base cookie identifier is just the hostname part (e.g. www.outdoorgear.co.uk) but there are several associated properties that you can set to extend the reach of that cookie.

two properties significant to your issue are "port list" whereby you may define a set of ports to which the cookie may be returned, and "secure" whereby you may define whether ssl is *required* in order to return the cookie.

i suggest that the first one will hold your solution.  when you define (i.e. set) your client cookies, refer to the technology documentation (ie javascript, asp, etc) to determine how you can add port 443 (ssl) to the 'portlist' property of the cookies.

that should then allow portability between the http and https applications (so long as the hostname does not change)

Cheers.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 17

Author Comment

by:inthedark
ID: 12649394
That kinda makes sense.
0
 

Expert Comment

by:Nelson_Pires
ID: 12685869
When you say the client got a different cookie with https are you sure they got a cookie.key.value at all? Or did they just got a cookie.key with no value set? If this is the case you may need to specify a cookie.expire, if you don't, cookies tend to not get set every now and then, don't know why, but it happened to me several times.

Also, if Session ID is maintained throughout ok, then on the secure pages, set the cookie again with the Session ID value, just to be on the safe side.

Hope it helps.
0
 
LVL 37

Expert Comment

by:meverest
ID: 13380697
suggest accept meverest
0
 
LVL 17

Author Comment

by:inthedark
ID: 13415010
We solved the problem by not using IIS session management.  We think that the web-site was over-streached, (sometimes we have 3000+ open sessions) and the lack of available memory caused IIS to do unsual things.
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

First of all, clustering IIS is something you should rarely consider doing. In almost all cases, Microsoft Network Load Balancing (NLB) (http://technet.microsoft.com/en-us/library/cc758834(WS.10).aspx) is a much better solution when you need to p…
A phishing scam that claims a recipient’s credit card details have been “suspended” is the latest trend in spoof emails.
This Micro Tutorial will teach you how to add a cinematic look to any film or video out there. There are very few simple steps that you will follow to do so. This will be demonstrated using Adobe Premiere Pro CS6.
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?
Suggested Courses

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question