I read that a page which runs under an https connection cannot share an InProc Session (based on cookies) with another page (or the same for that matter) running under regular http. My site is running on Server 2003, IIS 6 and .Net 2.0.
After some experiments it appears that a page which stores data in session while being connected through https CAN subsequently access the data even if running under plain http.
So, is it possible or should I go over and look for flaws in the SSL configuration?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
From MSDN:
When a user moves back and forth
between secure and public areas, the
ASP.NET-generated session cookie (or
URL if you have enabled cookie-less
session state) moves with them in
plaintext, but the authentication
cookie is never passed over
unencrypted HTTP connections as long
as the Secure cookie property is set.
So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.
I have avoided this issue by adding this to my Global.asax file:
void Session_Start(object sender, EventArgs e)
{
if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}
This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.
Method 2
IIS setting
In the IIS properties window, under the ASP tab –> Session Properties, there is a setting for “New ID on Secure Connections”
I fixed this intermittent issue for myself by setting this to false.
Method 3
Searching for the problem doesn’t turn up much chatter about it so far, still looking.
Edit: okay finding some stuff now.
Right it seems that it will work fine if both sets of pages are in the same application/website.
So I’d go ahead and carry on, feeling reassured.
Method 4
If any of the above solution does not work try this. I have cracked this out after doing research of a couple of days.
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
...
...
CookieSecure = CookieSecureOption.Never
});
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0