Re: Sessions/Cookies between sites

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Mark Schupp (mschupp_at_ielearning.com)
Date: 05/11/04 

Date: Tue, 11 May 2004 08:01:53 -0700

Yes, session variables and cookies will not be shared between the http and
https sites (if the HTTP and HTTPS pages are in the same IIS application, it
used to be possible to share session state, I don't know if that was a bug
or a feature. I haven't tried it since IIS 4).

Yes, you can pass data back and forth with form elements. A more secure
approach would be to keep the user data in a database and pass only and
identifier back and forth.

As long as the user returns to one site or another within the session
timeout period set in IIS their session variables will still be available.
If cookies are not set to expire or they return before the cookie expires
then cookies will be available as well. 

-- 
Mark Schupp
Head of Development
Integrity eLearning
www.ielearning.com
"Astra" <info@NoEmail.com> wrote in message news:40a0c0df_4@127.0.0.1...
> Hi All
>
> Can I just confirm, is it true that Session Vars and Cookies from my main
> http site will all be lost when I ask the user to transfer over to the
> secure (https) side of my site?
>
> Although the http and https sites are hosted on the same ISP they are
under
> different domains (as well as protocols of course).
>
> Is it usually the case that I form post/get the intrinsic details back and
> forth between the http and https so that I can keep things on track?
>
> More importantly, if the user is still in the same session and they go to
> the https side of the site and then go back to the http side (they may
want
> to check something - because they just do), has all of my session var and
> cookie data still be lost because of the change of sites?  I have a
feeling
> that my cookies will be OK, but my session vars may have been lost -
> correct?
>
> Rgds
>
> Robbie
>
>

Relevant Pages

  • Re: Is it possible at all to secure an unencrypted website?
    ... Session cookies or cookies that supply authentication information are just as easily intercepted as query string parameters if the plaintext HTTP data can be sniffed. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Cookie not conserved across jump
    ... just leads to another HTTP request. ... If you also allow the session ID to ... A browser just sends the cookies it received before (let aside JS- ... You can check with Firefox' Live HTTP Headers (or HTTP ...
    (comp.lang.php)
  • Re: Firewall session disconnects after 2 minutes of inactivity
    ... I want to start by pointing out the following: HTTP keep-alives and anything ... involved in the early stage of the connection when the client downloads the ... The HOD server I mean. ... when the session takes place through the ISA Server? ...
    (microsoft.public.isa)
  • Re: Opinion sort re user authentication ?
    ... Tony Benham wrote: ... I'm not storing financial data or anything very sensitive. ... known as "session based" or "form based" because it doesn't use HTTP ...
    (alt.php)
  • Re: HttpContext.Current.Session is null
    ... private static readonly CProjTest Instance = new CProjTest; ... HttpContext,as well as Session are created only for a HTTP request, ... I think you're trying to get session from a code that has nothing to do ...
    (microsoft.public.dotnet.framework.aspnet)