Re: ASP Session, Cookies and SSL

From: Andrew Zamkovoy (zam_at_parks.lv)
Date: 09/26/04

  • Next message: Quasi: "Re: SELECT TOP Flaking Out..." 
    Date: Sun, 26 Sep 2004 16:11:24 +0300

    Hello,

    Leave all products pages under HTTP connection (good for Search Engine).

    Keep "Shopping Cart" (SessionID, ProductID, SubProductID, Qty) in database
    (let it be table: BASKET) (not in cookies).

    When is time for checkout do redirect on HTTPS checkout pages:
        Response.Redirect
    ("https://checkout.domain.com?ShopID=<%=Application("MyShopGlobalID")%>&Orde
    rSession=<%=Session.SessionID%>")

    P.S. ?ShopID=<%=Application("MyShopGlobalID")%>& if you have multiply shops.

    After checkout (success and unsucess) on HTTPS side complete, make direction
    back on HTTP web site...

    With best regards, 

    -- 
Should you have any questions, please don't hesitate to contact me.
If you response to an email, please quote the complete message.
http://1click.lv
"Adil Akram" <microsoftee@informit.com.pk> wrote in message
news:eYeKoI7oEHA.536@TK2MSFTNGP11.phx.gbl...
> I have created a site shopping cart in ASP.net.
>
> I am using ASP session object's SessionID on non SSL connection to track
> session.
> While adding products to cart DB I insert product and SessionID in table.
> All products and cart status pages are on non SSL connection.
>
> On checkout to get secure user information I shifted connection to SSL but
> when shifting to SSL, the SessionID changed (As is this is default
behavior
> of IIS to prevent stealing SSL session).
>
> To get rid of this problem I shifted my all products and cart pages to
SSL,
> now its working fine but I am not satisfied with this solution because it
is
> not feasible to put all product pages (about 500 pages) to SSL. As I see
> while shopping with big companies sites i.e. Microsoft, Amazon etc. they
> change to SSL only in checkout page.
>
> How can I build it like that all pages remains in non SSL and only
checkout
> pages should be on SSL. One solution may be to use custom cookies to track
> session but it may have the same problem of session hijacking/ session
> stealing.
>
> Any one please explain me what is the best way to create shopping cart
with
> SSL, the ASP/ASP.net session or setting own cookies.
>
> Please explain in detail or refer some useful links.
>
> regards,
> Adil
>
>
>
>
  • Next message: Quasi: "Re: SELECT TOP Flaking Out..."

    Relevant Pages

    • Re: ASP session SSL
      ... > I have created a site shopping cart in ASP.net. ... > I am using ASP session object's SessionID on non SSL connection to ... All products and cart status pages are on non SSL connection. ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: SSL Session reuse with SChannel (Windows)
      ... remote server. ... that SSL support this, but don;t know how to make it with SChannel. ... Creating a Secure Connection Using Schannel:http://msdn.microsoft.com/en-us/library/aa374782.aspx ... The number of milliseconds that Schannel keeps the session in its ...
      (microsoft.public.platformsdk.security)
    • Re: Shopping cart, session on SSL
      ... > I am using ASP session object's SessionID on non SSL connection to ... All products and cart status pages are on non SSL connection. ... One way would be to store the shopping cart in the database ...
      (microsoft.public.dotnet.framework.aspnet)
    • SSL and IPS (was RE: ssh and ids)
      ... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
      (Focus-IDS)
    • Re: Reality Check: Session Hijacking
      ... choice to force the visitor to accept session cookies to keep the session ... cookie is simply a cookie that dies when the browser is closed, ... Note that the visitor will not see the new URL in the browser (it still says ... implementing "if not SSL then unset isAuthenticated". ...
      (comp.lang.php)