Re: ASP session SSL

From: Joerg Jooss (joerg.jooss_at_gmx.net)
Date: 09/27/04

• Next message: Paul Clement: "Re: Can't logoff from IIS with Windows Identity"
• Previous message: aldousd666: "Re: Forms Authentication won't redirect to login page"
• In reply to: Adil Akram: "ASP session SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Sep 2004 08:11:37 +0200

Adil Akram wrote:
> I have created a site shopping cart in ASP.net.
>
> I am using ASP session object's SessionID on non SSL connection to
> track session.
> While adding products to cart DB I insert product and SessionID in
> table. All products and cart status pages are on non SSL connection.
>
> On checkout to get secure user information I shifted connection to
> SSL but when shifting to SSL, the SessionID changed (As is this is
> default behavior of IIS to prevent stealing SSL session).
>
> To get rid of this problem I shifted my all products and cart pages
> to SSL, now its working fine but I am not satisfied with this
> solution because it is not feasible to put all product pages (about
> 500 pages) to SSL. As I see while shopping with big companies sites
> i.e. Microsoft, Amazon etc. they change to SSL only in checkout page.
>
> How can I build it like that all pages remains in non SSL and only
> checkout pages should be on SSL. One solution may be to use custom
> cookies to track session but it may have the same problem of session
> hijacking/ session stealing.
>
> Any one please explain me what is the best way to create shopping
> cart with SSL, the ASP/ASP.net session or setting own cookies.

In order to avoid awkward session mapping, you'll need to move the shopping
cart contents out of your HttpSessionState. You can store the shopping cart
contents either in a persistent cookie or in a database. Both approaches
allow your users to keep their shopping cart contents across sessions
similar to Amazon.

Cheers,

-- 
Joerg Jooss
joerg.jooss@gmx.net 

• Next message: Paul Clement: "Re: Can't logoff from IIS with Windows Identity"
• Previous message: aldousd666: "Re: Forms Authentication won't redirect to login page"
• In reply to: Adil Akram: "ASP session SSL"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: four or five shopping cart design questions ... > I'm thinking about building a shopping cart from scratch, ... > 2) How does repeat customer session handling usually work? ... > they have to supply name address and credit card number. ... (comp.lang.php) Re: ASP Session ... Well, the only way would be to use a cookie, but you've already ruled out ... So, the way I see it is that you'll have to do everything in SSL, ... > I've developed a shopping cart app in ASP, to secure transaction by SSL, ... > prevent session stealing/ hijacking). ... (microsoft.public.inetserver.asp.general) Re: Shopping cart, session on SSL ... > I am using ASP session object's SessionID on non SSL connection to ... All products and cart status pages are on non SSL connection. ... One way would be to store the shopping cart in the database ... (microsoft.public.dotnet.framework.aspnet) Shopping cart, session on SSL ... I am using ASP session object's SessionID on non SSL connection to track ... While adding products to cart DB I insert product and SessionID in table. ... All products and cart status pages are on non SSL connection. ... (microsoft.public.dotnet.framework.aspnet) ASP session SSL ... I am using ASP session object's SessionID on non SSL connection to track ... While adding products to cart DB I insert product and SessionID in table. ... All products and cart status pages are on non SSL connection. ... (microsoft.public.dotnet.framework.aspnet.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint