Re: Shopping cart, session on SSL

From: Hans Kesting (news.2.hansdk_at_spamgourmet.com)
Date: 09/27/04 

Date: Mon, 27 Sep 2004 10:08:31 +0200

Adil Akram wrote:
> I have created a site shopping cart in ASP.net.
>
> I am using ASP session object's SessionID on non SSL connection to
> track session.
> While adding products to cart DB I insert product and SessionID in
> table. All products and cart status pages are on non SSL connection.
>
> On checkout to get secure user information I shifted connection to
> SSL but when shifting to SSL, the SessionID changed (As is this is
> default behavior of IIS to prevent stealing SSL session).
>

I don't think it's IIS changing sessions, it's the browser: SSL works over a
different port (443 instead of 80). The browser thinks this is a new site
and will not send the session-cookie of the non-SSL site.

> To get rid of this problem I shifted my all products and cart pages
> to SSL, now its working fine but I am not satisfied with this
> solution because it is not feasible to put all product pages (about
> 500 pages) to SSL. As I see while shopping with big companies sites
> i.e. Microsoft, Amazon etc. they change to SSL only in checkout page.
>
> How can I build it like that all pages remains in non SSL and only
> checkout pages should be on SSL. One solution may be to use custom
> cookies to track session but it may have the same problem of session
> hijacking/ session stealing.
>
> Any one please explain me what is the best way to create shopping
> cart with SSL, the ASP/ASP.net session or setting own cookies.
>
> Please explain in detail or refer some useful links.
>
> regards,
> Adil

You will need some sort of synchronization between the SSL and non-SSL
parts. One way would be to store the shopping cart in the database
(possibly only "on checkout") under some unique ID. Pass that ID to the SSL
page so you can retrieve the shopping cart there.

Hans Kesting

Relevant Pages

  • Re: ASP session SSL
    ... > I have created a site shopping cart in ASP.net. ... > I am using ASP session object's SessionID on non SSL connection to ... All products and cart status pages are on non SSL connection. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • SSL and IPS (was RE: ssh and ids)
    ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
    (Focus-IDS)
  • Re: Reality Check: Session Hijacking
    ... choice to force the visitor to accept session cookies to keep the session ... cookie is simply a cookie that dies when the browser is closed, ... Note that the visitor will not see the new URL in the browser (it still says ... implementing "if not SSL then unset isAuthenticated". ...
    (comp.lang.php)
  • RE: Load balancing with NTLM or Basic authentication.
    ... The load balancer we’re going to use has the capability to be issue an SSL ... So it is able to maintain the SSL session with the client. ... application server. ... So our last piece of the puzzle was the issue of authentication. ...
    (microsoft.public.inetserver.iis.security)
  • Re: ASP Session, Cookies and SSL
    ... Leave all products pages under HTTP connection. ... Keep "Shopping Cart" in database ... > I am using ASP session object's SessionID on non SSL connection to track ... > All products and cart status pages are on non SSL connection. ...
    (microsoft.public.inetserver.asp.db)