ASP.NET Session management on SSL

GalaxyTech · 18-06-2008, 11:48 AM

I have been successfully using a shared SSL certificate for my customer scotlandart.com to sell paintings online now for a number of years.

The site allows users to add multiple paintings to a basket, enter their personal details and then they are redirected to the secure server to provide their credit card details.

However as we pass from HTTP to HTTPS secure I lose the Session. I believe this is because I need a different ASP.NET application on the HTTPS side.

I have got round this by storing the basket information in an SQL Server database using a GUID and then reloading the basket as I pass to the HTTPS side.

My customer now wants to add a lot of new features to the site which will dramatically complicate it. So, this approach will no longer be appropriate.

What I want to know is if there is anyway to pass from HTTP to HTTPS without losing the current Session.

As I say, at the moment we have a shared certificate so when I go to HTTPS the URL becomes:-
https://grape.sslsecuredsite.com/scotlandart-com/

If we purchased a dedicated SSL certificate from Catalyst would that mean that the Session would be retained ? Would it mean that I could maintain my HTTP and HTTPS pages within the same ASP.NET application ? ie. only one bin directory rather than two ?

Thanks in advance for any help or advice.

paulredpath · 18-06-2008, 02:32 PM

Hi,

Far as I am aware there isnt a way, as they are two seperate IIS sites and applications, so a new session would be setup.

If you had a dedicated certificate everything stays in the same IIS site and app pool, just the url would change to secure the connection.

GalaxyTech · 19-06-2008, 10:30 AM

Thanks for getting back to me on this Paul.

So are you saying that if we purchase a dedicated SSL certificate then as we then are maintaining a single application rather than two separate ones then the session will remain in place across the HTTP/HTTPS divide ?

paulredpath · 19-06-2008, 10:35 AM

John,

Yep, it would all run under the same site/app pool, not separate sites in IIS. To be honest I have never tested if a session is maintained, I would assume it is, plus you could pass the session ID in a var etc.

GalaxyTech · 19-06-2008, 10:52 AM

Thanks Paul.

I'll get working on my customer to get him to pay for the dedicated certificate.

paulredpath · 19-06-2008, 01:25 PM

No problem

18-06-2008, 11:48 AM	#1 (permalink)
GalaxyTech Registered User Join Date: Aug 2006 Posts: 10	ASP.NET Session management on SSL I have been successfully using a shared SSL certificate for my customer scotlandart.com to sell paintings online now for a number of years. The site allows users to add multiple paintings to a basket, enter their personal details and then they are redirected to the secure server to provide their credit card details. However as we pass from HTTP to HTTPS secure I lose the Session. I believe this is because I need a different ASP.NET application on the HTTPS side. I have got round this by storing the basket information in an SQL Server database using a GUID and then reloading the basket as I pass to the HTTPS side. My customer now wants to add a lot of new features to the site which will dramatically complicate it. So, this approach will no longer be appropriate. What I want to know is if there is anyway to pass from HTTP to HTTPS without losing the current Session. As I say, at the moment we have a shared certificate so when I go to HTTPS the URL becomes:- https://grape.sslsecuredsite.com/scotlandart-com/ If we purchased a dedicated SSL certificate from Catalyst would that mean that the Session would be retained ? Would it mean that I could maintain my HTTP and HTTPS pages within the same ASP.NET application ? ie. only one bin directory rather than two ? Thanks in advance for any help or advice.

18-06-2008, 02:32 PM	#2 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	Hi, Far as I am aware there isnt a way, as they are two seperate IIS sites and applications, so a new session would be setup. If you had a dedicated certificate everything stays in the same IIS site and app pool, just the url would change to secure the connection. __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review!

19-06-2008, 10:35 AM	#4 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	John, Yep, it would all run under the same site/app pool, not separate sites in IIS. To be honest I have never tested if a session is maintained, I would assume it is, plus you could pass the session ID in a var etc. __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review!

19-06-2008, 01:25 PM	#6 (permalink)
paulredpath Bring me your problems :p Join Date: Jan 2003 Location: /dev/ahhhhhhhhh Posts: 3,537	No problem __________________ Paul Redpath paul@catalyst2.com Go on, review Us at OC Host Review!

Thread Tools
Show Printable Version Email this Page
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread:

19-06-2008, 10:30 AM	#3 (permalink)
GalaxyTech Registered User Join Date: Aug 2006 Posts: 10	Thanks for getting back to me on this Paul. So are you saying that if we purchase a dedicated SSL certificate then as we then are maintaining a single application rather than two separate ones then the session will remain in place across the HTTP/HTTPS divide ?

19-06-2008, 10:52 AM	#5 (permalink)
GalaxyTech Registered User Join Date: Aug 2006 Posts: 10	Thanks Paul. I'll get working on my customer to get him to pay for the dedicated certificate.