ASP Session, Cookies and SSL

From: Adil Akram (microsoftee_at_informit.com.pk)
Date: 09/26/04 

Date: Sun, 26 Sep 2004 15:18:23 +0500

I have created a site shopping cart in ASP.net.

I am using ASP session object's SessionID on non SSL connection to track
session.
While adding products to cart DB I insert product and SessionID in table.
All products and cart status pages are on non SSL connection.

On checkout to get secure user information I shifted connection to SSL but
when shifting to SSL, the SessionID changed (As is this is default behavior
of IIS to prevent stealing SSL session).

To get rid of this problem I shifted my all products and cart pages to SSL,
now its working fine but I am not satisfied with this solution because it is
not feasible to put all product pages (about 500 pages) to SSL. As I see
while shopping with big companies sites i.e. Microsoft, Amazon etc. they
change to SSL only in checkout page.

How can I build it like that all pages remains in non SSL and only checkout
pages should be on SSL. One solution may be to use custom cookies to track
session but it may have the same problem of session hijacking/ session
stealing.

Any one please explain me what is the best way to create shopping cart with
SSL, the ASP/ASP.net session or setting own cookies.

Please explain in detail or refer some useful links.

regards,
Adil

Relevant Pages

  • Re: ASP session SSL
    ... > I have created a site shopping cart in ASP.net. ... > I am using ASP session object's SessionID on non SSL connection to ... All products and cart status pages are on non SSL connection. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • ASP Session, Cookies and SSL
    ... I am using ASP session object's SessionID on non SSL connection to track ... While adding products to cart DB I insert product and SessionID in table. ... All products and cart status pages are on non SSL connection. ...
    (microsoft.public.inetserver.asp.general)
  • Shopping cart, session on SSL
    ... I am using ASP session object's SessionID on non SSL connection to track ... While adding products to cart DB I insert product and SessionID in table. ... All products and cart status pages are on non SSL connection. ...
    (microsoft.public.dotnet.framework.aspnet)
  • ASP session SSL
    ... I am using ASP session object's SessionID on non SSL connection to track ... While adding products to cart DB I insert product and SessionID in table. ... All products and cart status pages are on non SSL connection. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP Session
    ... Well, the only way would be to use a cookie, but you've already ruled out ... So, the way I see it is that you'll have to do everything in SSL, ... > I've developed a shopping cart app in ASP, to secure transaction by SSL, ... > prevent session stealing/ hijacking). ...
    (microsoft.public.inetserver.asp.general)