Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

how can I share an asp.net session between http and https

I read that a page which runs under an https connection cannot share an InProc Session (based on cookies) with another page (or the same for that matter) running under regular http. My site is running on Server 2003, IIS 6 and .Net 2.0.

After some experiments it appears that a page which stores data in session while being connected through https CAN subsequently access the data even if running under plain http.

So, is it possible or should I go over and look for flaws in the SSL configuration?

like image 649
Manu Avatar asked Feb 19 '09 22:02

Manu


People also ask

Is session shared between users?

No, it is not shared.

Where are sessions stored C#?

StateServer mode, which stores session state in a separate process called the ASP.NET state service. This ensures that session state is preserved if the Web application is restarted and also makes session state available to multiple Web servers in a Web farm.

What is session in C# with example?

Session is a State Management Technique. A Session can store the value on the Server. It can support any type of object to be stored along with our own custom objects. A session is one of the best techniques for State Management because it stores the data as client-based. Session.rar.

What is session in ASP.NET MVC?

In ASP.NET session is a state that is used to store and retrieve values of a user. It helps to identify requests from the same browser during a time period (session). It is used to store value for the particular time session. By default, ASP.NET session state is enabled for all ASP.NET applications.


2 Answers

From MSDN:

When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.

I have avoided this issue by adding this to my Global.asax file:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.

like image 78
John Rasch Avatar answered Nov 01 '22 23:11

John Rasch


IIS setting In the IIS properties window, under the ASP tab –> Session Properties, there is a setting for “New ID on Secure Connections”

I fixed this intermittent issue for myself by setting this to false.

like image 40
Holt Mansfield Avatar answered Nov 01 '22 22:11

Holt Mansfield