Professional Web Applications Themes

ASP Session, Cookies and SSL - ASP Database

I have created a site shopping cart in ASP.net. I am using ASP session object's SessionID on non SSL connection to track session. While adding products to cart DB I insert product and SessionID in table. All products and cart status pages are on non SSL connection. On checkout to get secure user information I shifted connection to SSL but when shifting to SSL, the SessionID changed (As is this is default behavior of IIS to prevent stealing SSL session). To get rid of this problem I shifted my all products and cart pages to SSL, now its working fine ...

  1. #1

    Default ASP Session, Cookies and SSL

    I have created a site shopping cart in ASP.net.

    I am using ASP session object's SessionID on non SSL connection to track
    session.
    While adding products to cart DB I insert product and SessionID in table.
    All products and cart status pages are on non SSL connection.

    On checkout to get secure user information I shifted connection to SSL but
    when shifting to SSL, the SessionID changed (As is this is default behavior
    of IIS to prevent stealing SSL session).

    To get rid of this problem I shifted my all products and cart pages to SSL,
    now its working fine but I am not satisfied with this solution because it is
    not feasible to put all product pages (about 500 pages) to SSL. As I see
    while shopping with big companies sites i.e. Microsoft, Amazon etc. they
    change to SSL only in checkout page.

    How can I build it like that all pages remains in non SSL and only checkout
    pages should be on SSL. One solution may be to use custom cookies to track
    session but it may have the same problem of session hijacking/ session
    stealing.

    Any one please explain me what is the best way to create shopping cart with
    SSL, the ASP/ASP.net session or setting own cookies.

    Please explain in detail or refer some useful links.

    regards,
    Adil




    Adil Guest

  2. #2

    Default Re: ASP Session, Cookies and SSL

    Adil Akram wrote: 
    Please do not multipost. This question has nothing to do with databases, so
    there was no benefit to you from posting it here.

    In addition, by posting the same question
    separately in these newsgroups, you created a "multipost". This is bad
    because users in one group cannot see replies to the question from the other
    group. This could cause somebody to waste his time answering a question that
    has already been answered in the other group, which will certainly be
    annoying, and may cause the person who wasted his time to put you on Ignore.
    Who knows, this person may be the only person in the newsgroups who knows
    the answer to your next question, and you're never going to receive his
    answer.

    The best policy is: post your question to one appropriate newsgroup. If
    you've posted it in the wrong place, someone will let you know, and
    hopefully will be polite enough to suggest a more appropriate newsgroup. If
    you can't decide which of several newsgroups is the most appropriate, use
    the cross-posting technique: put the names of the newsgroups into the To
    field of a single message and post it once. It will be posted to all the
    groups in your To field. The benefit is that replies to the message will
    appear in all the newsgroups to which you cross-posted it, so subscribers to
    all the groups will know that your problem has been resolved. The downside
    is that extra bandwidth will be used as a result, so always strive to keep
    the number of cross-posted groups to a minimum.

    --
    Microsoft MVP - ASP/ASP.NET
    Please reply to the newsgroup. This email account is my spam trap so I
    don't check it very often. If you must reply off-line, then remove the
    "NO SPAM"


    Bob Guest

  3. #3

    Default Re: ASP Session, Cookies and SSL

    Hello,

    Leave all products pages under HTTP connection (good for Search Engine).

    Keep "Shopping Cart" (SessionID, ProductID, SubProductID, Qty) in database
    (let it be table: BASKET) (not in cookies).

    When is time for checkout do redirect on HTTPS checkout pages:
    Response.Redirect
    ("https://checkout.domain.com?ShopID=<%=Application("MyShopG lobalID")%>&Orde
    rSession=<%=Session.SessionID%>")

    P.S. ?ShopID=<%=Application("MyShopGlobalID")%>& if you have multiply shops.

    After checkout (success and unsucess) on HTTPS side complete, make direction
    back on HTTP web site...

    With best regards,

    --

    Should you have any questions, please don't hesitate to contact me.
    If you response to an email, please quote the complete message.
    http://1click.lv

    "Adil Akram" <com.pk> wrote in message
    news:phx.gbl... 
    behavior 
    SSL, 
    is 
    checkout 
    with 


    Andrew Guest

  4. #4

    Default Re: ASP Session, Cookies and SSL

    Hello, Andrew,

    Do you think that this solution has no security flaw in it.
    I mean if any other gets session id from URL and submits on user behalf to
    attempt fraud or disturbs user order.

    Adil



    "Andrew Zamkovoy" wrote:
     
    > behavior 
    > SSL, 
    > is 
    > checkout 
    > with 
    >
    >
    >[/ref]
    Adil Guest

  5. #5

    Default Re: ASP Session, Cookies and SSL

    Hello,

    1. You may send somehow "encrypted" SessionID (for example type it
    vice-verse).
    Send it in POST method, not like in my example by using SEND method.

    2. On HTTPS side check for Referef URL. Accept only connection from your
    HTTP web site(s).

    ----------------
    Function CheckMyInternalSecure

    Dim Referer_URL, Referers, Result
    Redim Referers (2)
    Referer_URL = Request.ServerVariables("HTTP_REFERER")

    If (Referer_URL = "") or (Len (Referer_URL) < 3) Then
    Result = -1
    Else
    Referers = Split (LCase (Referer_URL), "/", -1, 1)

    If (Referers(2) <> "1.lv") and (Referers(2) <> "2.lv") and
    (Referers(2) <> "3.lv") and (Referers(2) <> "4.lv") and (Referers(2)
    <> "5.lv") Then
    Result = -1
    End If
    End If

    If (Result = -1) Then
    '#################################################
    '### Security issue
    '#################################################
    NewSecurityIssue

    '################################################# ##############

    Response.Redirect (Application ("BASEHREF"))
    Response.End
    End If
    End Function
    ----------------

    With best regards,

    "Adil Akram" <Adil microsoft.com> wrote in message
    news:com... [/ref]
    database [/ref]
    ("https://checkout.domain.com?ShopID=<%=Application("MyShopG lobalID")%>&Orde [/ref]
    shops. [/ref]
    direction [/ref][/ref]
    track [/ref][/ref]
    table. [/ref][/ref]
    but 
    > > behavior 
    > > SSL, [/ref][/ref]
    it [/ref][/ref]
    see [/ref][/ref]
    they 
    > > checkout [/ref][/ref]
    track 
    > > with 
    > >
    > >
    > >[/ref][/ref]


    Andrew Guest

  6. #6

    Default Re: ASP Session, Cookies and SSL

    Hi Andrew,

    Whether you send it through POST or GET and hacker can always sniff out the
    value from network traffic. Although getting the the POST data requires some
    skills but its not fool proof security a hacker with little technical
    knowledge can get it easily.

    As you said to check referer URL on checkout page, the hacker can send my
    site URL as REFERER_URL with his post so it can be hacked easily.

    regards,
    Adil



    "Andrew Zamkovoy" wrote:
     [/ref]
    > database [/ref]
    > ("https://checkout.domain.com?ShopID=<%=Application("MyShopG lobalID")%>&Orde [/ref]
    > shops. [/ref]
    > direction [/ref]
    > track [/ref]
    > table. [/ref]
    > but [/ref]
    > it [/ref]
    > see [/ref]
    > they [/ref]
    > track [/ref]
    >
    >
    >[/ref]
    Adil Guest

  7. #7

    Default Re: ASP Session, Cookies and SSL

    Hello,

    The same way:

    on HTTP web site prepare and save order header/order sub items in database.
    Send on HTTPS web site Encrypted Order ID + Order ID Hash Sum.

    With best regards,

    "Adil Akram" <microsoft.com> wrote in message
    news:com... 
    the 
    some [/ref]
    (Referers(2) [/ref][/ref]
    behalf to [/ref][/ref]
    Engine). 
    > > database 
    > >[/ref][/ref]
    ("https://checkout.domain.com?ShopID=<%=Application("MyShopG lobalID")%>&Orde [/ref][/ref]
    multiply 
    > > direction 
    > > track 
    > > table. [/ref][/ref]
    SSL [/ref][/ref]
    pages to [/ref][/ref]
    because [/ref][/ref]
    I [/ref][/ref]
    etc. [/ref][/ref]
    to [/ref][/ref]
    session [/ref][/ref]
    cart 
    > >
    > >
    > >[/ref][/ref]


    Andrew Guest

Similar Threads

  1. Cookies Vs Session
    By theDude28 in forum Macromedia ColdFusion
    Replies: 5
    Last Post: May 10th, 09:01 PM
  2. loading session from cookies
    By paradox in forum PHP Development
    Replies: 2
    Last Post: June 30th, 08:25 AM
  3. Session & Cookies
    By Srinivasa Raghavan in forum ASP.NET General
    Replies: 1
    Last Post: August 8th, 01:28 PM
  4. SESSION AND COOKIES
    By RHO in forum PHP Development
    Replies: 0
    Last Post: July 11th, 11:48 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139