Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.2k views
in Technique[技术] by (71.8m points)

ssl - how can I share an asp.net session between http and https

I read that a page which runs under an https connection cannot share an InProc Session (based on cookies) with another page (or the same for that matter) running under regular http. My site is running on Server 2003, IIS 6 and .Net 2.0.

After some experiments it appears that a page which stores data in session while being connected through https CAN subsequently access the data even if running under plain http.

So, is it possible or should I go over and look for flaws in the SSL configuration?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

From MSDN:

When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.

I have avoided this issue by adding this to my Global.asax file:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

2.1m questions

2.1m answers

60 comments

57.0k users

...