RE: Maintaining state between 2 domains

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

About the only way I can think of accomplishing this is to have a gateway
page on each of the domains that passes the session var's back and forth. As
your clients move from one domain to the next, you would need to force them
thru the appropriate gateway page. For example:

------------------------
Link from non-secure to secure:
------------------------
<a href='https://secure.myisp.com/mydomain/gateway.aspx?var1=a&var2=b'>Click
here for secure access</a>

https://secure.myisp.com/mydomain/gateway.aspx would contain the following
code:

session("var1")=request("var1")
session("var2")=request("var1")
response.redirect "default.aspx"

------------------------
Link from secure to non-secure:
------------------------
<a href='http://www.mydomain.com/gateway.aspx?var1=a&var2=b'>Click here for
non-secure access</a>

http://www.mydomain.com/gateway.aspx would contain the following code:

session("var1")=request("var1")
session("var2")=request("var1")
response.redirect "default.aspx"

Hope this helps..... Rich

"Pete" wrote:

> I'm writing a web site for a friend. The site is going to have to
> consist of two ASP.NET applications: one running over HTTP and one
> over HTTPS. The problem is that the domains will be different, so how
> do I maintain state between the public area (http://www.mydomain.com)
> and the secure area (https://secure.myisp.com/mydomain)?
>
> What I'm trying to achieve here is for the site user to login to the
> site in the secure area, and then have a GUID that identifies the
> user's "session" that can be accessed by pages from either
> application. When I've done this in the past I've just stored a value
> in a cookie, but that's always been on sites where both applications
> are on the same domain - that's not the case this time.
>
> Any suggestions?
>
> Any help will be gratefully received.
>
> Pete
>
.

Relevant Pages

  • Re: Reality Check: Session Hijacking
    ... I'm not putting hidden fields in http ... The user is always challenged when he starts to use a secure app, ... STARTS to use the secure app. ... And NOT from the session. ...
    (comp.lang.php)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Secure website (cookie/session)
    ... Secure a part of my website. ... access to server settings (session timeout, security,...). ... do not lose time re-submitting it because the use was redirect to the ...
    (microsoft.public.inetserver.iis.security)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Secure ASP.Net Sessions
    ... The current implementation has used 2 ASP.Net applications one secure and ... one insecure, to avoid the insecure session ID being hijacked ... In an ideal world I want the application to also handle the cookie less ... There should be 2 session IDs, one for insecure sessions and one for secure ...
    (microsoft.public.dotnet.framework.aspnet.security)