Sessions & SSL

John Hamilton via .NET 247 · John Hamilton via .NET 247

Hello. Here's my problem. I have an e-commerce site with alogin & checkout pages needing to be secure. To enforce thesepages to be ssl I simply put in the page load:

If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace( "http:","https:"))
End If

Now this works fine as long as cookieless is false. I'm finewith that. The only problem is IE gives a popup warning thatthe certificate name doesn't match the site. This is becausethe original page server_host is setup as [url]www.abcdef.com[/url], andthe common name on the ssl is only abcdef.com (no www).

Now if I change my redirect code to this:
If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace( "http://" &Request.ServerVariables("HTTP_HOST"), "https://abcdef.com"))
End If

A new session is created because the server_host is different,and all information from the previous http session isunavailable in the new https session. I could force all pagesto use the common name as the host, but this is not ideal. Eventually I'd like to use a shared ssl server (on the samemachine). Is there any way around this without serializing allmy objects and storing them in cookies?

Thanks!

--------------------------------
From: John Hamilton
MCP, MCSD, MCDBA

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>TrxuVMqXXUiPwAxTLCEbCw==</Id>

Paul Glavich [MVP - ASP.NET] · Paul Glavich [MVP - ASP.NET]

SSL works by using host affinity and there is not much way around this
without perhaps having one site as a "subite" of the other. So one would be
the main site, and the other might be a virtual directory that exists
beneath the main site, thus enabling the subite to utilise the same
certificate.

HTH,
--
- Paul Glavich
Microsoft MVP - ASP.NET

"John Hamilton via .NET 247" <anonymous@dotnet247.com> wrote in message
news:O#FgXxSKEHA.3436@tk2msftngp13.phx.gbl...
Hello. Here's my problem. I have an e-commerce site with a login &
checkout pages needing to be secure. To enforce these pages to be ssl I
simply put in the page load:

If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace( "http:", "https:"))
End If

Now this works fine as long as cookieless is false. I'm fine with that.
The only problem is IE gives a popup warning that the certificate name
doesn't match the site. This is because the original page server_host is
setup as [url]www.abcdef.com[/url], and the common name on the ssl is only abcdef.com
(no www).

Now if I change my redirect code to this:
If Not Request.IsSecureConnection Then
Response.Redirect(Request.URL.AbsoluteUri.Replace( "http://" &
Request.ServerVariables("HTTP_HOST"), "https://abcdef.com"))
End If

A new session is created because the server_host is different, and all
information from the previous http session is unavailable in the new https
session. I could force all pages to use the common name as the host, but
this is not ideal. Eventually I'd like to use a shared ssl server (on the
same machine). Is there any way around this without serializing all my
objects and storing them in cookies?

Thanks!

--------------------------------
From: John Hamilton
MCP, MCSD, MCDBA

-----------------------
Posted by a user from .NET 247 ([url]http://www.dotnet247.com/[/url])

<Id>TrxuVMqXXUiPwAxTLCEbCw==</Id>

Sessions & SSL

Thread Tools

Display

Sessions & SSL

Similar Questions and Discussions

Sessions? Or another way?

CGI::Sessions : Deleting expired sessions

can you use sessions to ensure the user visited a previous page? can a sessions be easily spoofed?

Database sessions and file sessions

Relationship between IIS Sessions and ASP.NET Sessions?

Re: Sessions & SSL

Posting Permissions