Re: Sessions/Cookies between sites

From: Laphan (news_at_DoNotEmailMe.co.uk)
Date: 05/11/04

  • Next message: Chris Hohmann: "Re: Total Rows and count of specific instance in one read" 
    Date: Tue, 11 May 2004 19:22:27 +0100

    Thanks Guys

    Much appreciated.

    Rgds

    Robbie

    <anonymous@discussions.microsoft.com> wrote in message
    news:b46f01c4377f$ed462cf0$a401280a@phx.gbl...
    >From my experience with IIS6 and Windows Server 2003

    Session variables are still retained when switching from
    http to https, I never knew it was a bug, I hope Microsoft
    doesn't fix this one.

    (Since the session variables are based on a session ID
    cookie, it is really dependent on the client browser
    whether or not the session variables will be retained,
    it's up to the client browser to decide if it should
    include the SessionID cookie in it's https request).

    In the case of the original question, his https pages are
    on a different domain then the cookies and session
    variables will definitely not be retained.

    But if the user goes back to the http page before his
    session expires then the variables will still be there.

    Mendel Nemanov
    Spotlight Design
    >-----Original Message-----
    >Yes, session variables and cookies will not be shared
    between the http and
    >https sites (if the HTTP and HTTPS pages are in the same
    IIS application, it
    >used to be possible to share session state, I don't know
    if that was a bug
    >or a feature. I haven't tried it since IIS 4).
    >
    >Yes, you can pass data back and forth with form elements.
    A more secure
    >approach would be to keep the user data in a database and
    pass only and
    >identifier back and forth.
    >
    >As long as the user returns to one site or another within
    the session
    >timeout period set in IIS their session variables will
    still be available.
    >If cookies are not set to expire or they return before
    the cookie expires
    >then cookies will be available as well.
    >
    >--
    >Mark Schupp
    >Head of Development
    >Integrity eLearning
    >www.ielearning.com
    >
    >
    >"Astra" <info@NoEmail.com> wrote in message
    news:40a0c0df_4@127.0.0.1...
    >> Hi All
    >>
    >> Can I just confirm, is it true that Session Vars and
    Cookies from my main
    >> http site will all be lost when I ask the user to
    transfer over to the
    >> secure (https) side of my site?
    >>
    >> Although the http and https sites are hosted on the
    same ISP they are
    >under
    >> different domains (as well as protocols of course).
    >>
    >> Is it usually the case that I form post/get the
    intrinsic details back and
    >> forth between the http and https so that I can keep
    things on track?
    >>
    >> More importantly, if the user is still in the same
    session and they go to
    >> the https side of the site and then go back to the http
    side (they may
    >want
    >> to check something - because they just do), has all of
    my session var and
    >> cookie data still be lost because of the change of
    sites? I have a
    >feeling
    >> that my cookies will be OK, but my session vars may
    have been lost -
    >> correct?
    >>
    >> Rgds
    >>
    >> Robbie
    >>
    >>
    >
    >
    >.
    >

  • Next message: Chris Hohmann: "Re: Total Rows and count of specific instance in one read"

    Relevant Pages

    • Re: ASP.NET Cookie Handling
      ... now that I see that ASP reuses the same session ID. ... Persistent vs. session for cookies just determines whether the browser will ... that force SSL only as with persistent cookies? ... because we use redirection to direct users that request HTTP to HTTPS ...
      (microsoft.public.dotnet.security)
    • Re: ASP.NET Cookie Handling
      ... Persistent vs. session for cookies just determines whether the browser will ... that force SSL only as with persistent cookies? ... because we use redirection to direct users that request HTTP to HTTPS ...
      (microsoft.public.dotnet.security)
    • Re: Dropped session variables tied to SSL pages? Or Redirect?
      ... between HTTP and HTTPS for the same application path. ... > "Mark Schupp" wrote in message ... >> session cookie can only go to one application. ... >>> I also commented that some of the Session variables stayed intact. ...
      (microsoft.public.inetserver.asp.general)
    • Researcher demonstrates SSL attack
      ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
      (alt.privacy)
    • Re: Sessions/Cookies between sites
      ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
      (microsoft.public.inetserver.asp.db)