Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

how to change url from http to https without loosing the session

Posted on 2006-04-19
10
Medium Priority
?
7,900 Views
Last Modified: 2008-01-09
i have a web application that is is not secured but when the user get to the credit card form page i need to secure it (http to https)  when i redirect the link starting https://-------  the session get lost
how can i change the url from http to https without redirection
0
Comment
Question by:Nabilbahr
8 Comments
 

Author Comment

by:Nabilbahr
ID: 16494725
is it possible to change the url on the address bar using java script
0
 
LVL 3

Expert Comment

by:Kyanar
ID: 16494794
Can you tell us which language your application is written in?  PHP?  ASP.NET?
0
 
LVL 35

Expert Comment

by:mrichmon
ID: 16499309
The session should not get lost when changing to https unless the secure site is not the same web server.  Can you give us some more information about how the session is being lost?

You cannot use javascript to simply change the address bar - even if ou could it would have no effect until the page re-loaded using SSL.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:Nabilbahr
ID: 16500445
i'm using visual basic 6.0 web application
0
 
LVL 18

Expert Comment

by:Sudaraka Wijesinghe
ID: 16502260
This is an issue I have seen in many web server when transferring between domains.
Solution I used in a situation like this is to serialize the data in session of first domain to a parameter on query string and pass it over to next domain. On the second domain I deserialize the query string and populate the session.
I have used this method in PHP and ASP.

One glitch I faced and still haven’t found a solution is that when I want to destroy a session I could only destroy the session which the user is currently in.

0
 

Author Comment

by:Nabilbahr
ID: 16502929
in my web application if i want to submit a form  action="http://tfitours.com/mars.asp?wci=Start&wce=logon&"
sometimes i loose the session depending on the apartment thread that it uses
but if i use action="mars.asp?wci=Start&wce=logon&" it works fine

now if i want to change http to https , what can i do? sometime it works sometimes i loose the session
the way that i know is by redirecting the whole url using https instead of http , which isn't good
can anybody tell me an alternative
0
 
LVL 18

Accepted Solution

by:
Sudaraka Wijesinghe earned 1200 total points
ID: 16504644
As in your example you need to keep all the pages in http://tfitours.com/ to maintain the session. If at any place you redirect to different domain or sub domain in the same server the session will break. (I think some web server can be configured to share the session in sub domains)

So in you case if you move http://www.tfitours.com/ or http://secure.tfitours.com/, you’ll lose the session. But you will NOT loose it by going to https://tfitours.com/
Note that some browsers change http://tfitours.com/ to http://www.tfitours.com/ by them self.

When new session is created, web server creates an session ID which you will see as PHPSESSIONID or ASPSESSIONID or simply ID member of the session data collection. This ID is a MD5 of a string created using Server Signature and Client Signature.
Client signature will contain IP, application (IE or Mozilla), ect. And server signature will contain the Server IP, domain name, ect.

Oh and this just came into my mind, I once came into a situation that even in the same domain it keep loosing the session, issues in that case was the domain was load balanced and it’s configuration was not set correctly. (SA at the time fixed it, I don’t have much details on that)
0
 

Author Comment

by:Nabilbahr
ID: 16683649

my links are usually  <a href="app.asp?wci=start&wce=process&">process</a>   (running as http)
if i use <a href="https://www.tfitours.com/app.asp?wci=start&wce=process&">process</a>
the user may loose the session.
how can i create a link on a page that link to the secure version of the site "https instead of http"
without loosing the session.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Ready to get certified? Check out some courses that help you prepare for third-party exams.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question