Sessions & SSL

From: John Hamilton via .NET 247 (anonymous_at_dotnet247.com)
Date: 04/23/04

• Next message: Jamie Sutherland: "Please Help - Encryption Problems"
• Previous message: Ed Staffin: "Forms Auth Problems."
• Next in thread: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
• Reply: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Apr 2004 05:13:07 -0700

Hello. Here's my problem. I have an e-commerce site with a login & checkout pages needing to be secure. To enforce these pages to be ssl I simply put in the page load:

If Not Request.IsSecureConnection Then
    Response.Redirect(Request.URL.AbsoluteUri.Replace("http:", "https:"))
End If

Now this works fine as long as cookieless is false. I'm fine with that. The only problem is IE gives a popup warning that the certificate name doesn't match the site. This is because the original page server_host is setup as www.abcdef.com, and the common name on the ssl is only abcdef.com (no www).

Now if I change my redirect code to this:
If Not Request.IsSecureConnection Then
    Response.Redirect(Request.URL.AbsoluteUri.Replace("http://" & Request.ServerVariables("HTTP_HOST"), "https://abcdef.com"))
End If

A new session is created because the server_host is different, and all information from the previous http session is unavailable in the new https session. I could force all pages to use the common name as the host, but this is not ideal. Eventually I'd like to use a shared ssl server (on the same machine). Is there any way around this without serializing all my objects and storing them in cookies?

Thanks!

--------------------------------
From: John Hamilton
MCP, MCSD, MCDBA

-----------------------
Posted by a user from .NET 247 (http://www.dotnet247.com/)

<Id>TrxuVMqXXUiPwAxTLCEbCw==</Id>

• Next message: Jamie Sutherland: "Please Help - Encryption Problems"
• Previous message: Ed Staffin: "Forms Auth Problems."
• Next in thread: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
• Reply: Paul Glavich [MVP - ASP.NET]: "Re: Sessions & SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: LDAP over SSL configuration ... Obviously SSL is encrypted ... I'm not sure how to install the certificate to enforce it. ... > requires secure connection and quite a few others that do not. ... (microsoft.public.windows.server.general) Re: Ace Password Sniffer : How does it work ? ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ... (microsoft.public.security) RE: Certificate prblems with exchange public folders ... c103b404 during accessing Public Folders in Exchange System Manager. ... SSL certificate server name is incorrect" with error code c103b404 stemmed ... Click to clear the Require secure channel check box. ... 8.Restart Exchange System Attendant Service and then restart ... (microsoft.public.windows.server.sbs) Re: Setting up HTTPS w/subdomain on Apache2 ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ... (Ubuntu) Re: Setting up HTTPS w/subdomain on Apache2 ... Secure data transfer ... The docs recommended using SSL, ... I'm mistaken, HTTP w/SSL = HTTPS. ... Authentication would be basic or digest (Personally I'm using basic ... (Ubuntu)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint