how to change url from http to https without loosing the session

i have a web application that is is not secured but when the user get to the credit card form page i need to secure it (http to https)  when i redirect the link starting https://-------  the session get lost
how can i change the url from http to https without redirection
NabilbahrAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NabilbahrAuthor Commented:
is it possible to change the url on the address bar using java script
0
KyanarCommented:
Can you tell us which language your application is written in?  PHP?  ASP.NET?
0
mrichmonCommented:
The session should not get lost when changing to https unless the secure site is not the same web server.  Can you give us some more information about how the session is being lost?

You cannot use javascript to simply change the address bar - even if ou could it would have no effect until the page re-loaded using SSL.
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

NabilbahrAuthor Commented:
i'm using visual basic 6.0 web application
0
Sudaraka WijesingheWeb Application ProgrammerCommented:
This is an issue I have seen in many web server when transferring between domains.
Solution I used in a situation like this is to serialize the data in session of first domain to a parameter on query string and pass it over to next domain. On the second domain I deserialize the query string and populate the session.
I have used this method in PHP and ASP.

One glitch I faced and still haven’t found a solution is that when I want to destroy a session I could only destroy the session which the user is currently in.

0
NabilbahrAuthor Commented:
in my web application if i want to submit a form  action="http://tfitours.com/mars.asp?wci=Start&wce=logon&"
sometimes i loose the session depending on the apartment thread that it uses
but if i use action="mars.asp?wci=Start&wce=logon&" it works fine

now if i want to change http to https , what can i do? sometime it works sometimes i loose the session
the way that i know is by redirecting the whole url using https instead of http , which isn't good
can anybody tell me an alternative
0
Sudaraka WijesingheWeb Application ProgrammerCommented:
As in your example you need to keep all the pages in http://tfitours.com/ to maintain the session. If at any place you redirect to different domain or sub domain in the same server the session will break. (I think some web server can be configured to share the session in sub domains)

So in you case if you move http://www.tfitours.com/ or http://secure.tfitours.com/, you’ll lose the session. But you will NOT loose it by going to https://tfitours.com/
Note that some browsers change http://tfitours.com/ to http://www.tfitours.com/ by them self.

When new session is created, web server creates an session ID which you will see as PHPSESSIONID or ASPSESSIONID or simply ID member of the session data collection. This ID is a MD5 of a string created using Server Signature and Client Signature.
Client signature will contain IP, application (IE or Mozilla), ect. And server signature will contain the Server IP, domain name, ect.

Oh and this just came into my mind, I once came into a situation that even in the same domain it keep loosing the session, issues in that case was the domain was load balanced and it’s configuration was not set correctly. (SA at the time fixed it, I don’t have much details on that)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NabilbahrAuthor Commented:

my links are usually  <a href="app.asp?wci=start&wce=process&">process</a>   (running as http)
if i use <a href="https://www.tfitours.com/app.asp?wci=start&wce=process&">process</a>
the user may loose the session.
how can i create a link on a page that link to the secure version of the site "https instead of http"
without loosing the session.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.