I forgot to add that I received the other person's product as well as my own, and it was worth significantly more than mine... So....interesting side note... I called and explained the situation... and they sent me a shipping label to return the item.. then I was refunded the value of it!!!?!?
-----Original Message----- From: Philip Sayers Sent: Monday, November 04, 2002 2:08 PM To: ActiveServerPages Subject: RE: Sessions and HTTPS -> HTTP I was under the impression that the session over https and http is different. And if you switch from one to the other it's not safe to access session variables that existed in the previous state since you may end up jumping into someone else's session... which I think I did recently on an electrical appliance seller's website. I logged in, filled up a cart, and then edited the URL and just removed the 's' from https...and I could see someone else's cart...and I was logged in with someone else's account I can't tell you where I got this from (possibly this list, possible a post by rob chartier, or charles carrol) because it was over 18 months ago... but I'm fairly confident that the safest way to maintain the same session when switching between http and https is to put a sessionid in a form var that's posted invisibly as the user switches pages, or in the querystring....this does mean that you will have to persist all the session vars to storage somehow (db, txt, xml...) -----Original Message----- From: Ben Timby [mailto:asp@;webexc.com] Sent: Tuesday, November 05, 2002 2:15 PM To: ActiveServerPages Subject: Sessions and HTTPS -> HTTP We have a site which uses HTTPS to protect a database login form. When the user logs in, we set a session var, and redirect them back to index.asp. The redirect drops the https:// from the url. This seems in a few cases to also drop the session var cookies from the browser. The problem is this. When the user logs in (the login form and handler are both secured), and is then redirected to the index.asp (which is not secured), they lose their session cookies. I grepped a user out of our IIS logs, and the session looks like this: Line 1:2002-11-04 0:47:39 ??.??.??.?? 443 POST /security/process_login.asp - 302 0 437 752 469 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) ASPSESSIONIDQGGGQFSQ=FIPMLLMCKDFCBFHNNINHENNI;+Image11=1017;+Image21=101 4;+Image31=1013 Line 2:2002-11-04 0:47:43 ??.??.??.?? 80 GET /index.asp - 200 0 0 548 156 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - As you can see the cookies are going away. I have not ever heard of this before, I however did find this discussion: http://w6.metronet.com/~wjm/tomcat/2000/Dec/msg00626.html But that does not make sense, because this site is working for the majority of users, and we have only gotten a couple reports of problems. Does anyone have any ideas? Ben Timby Webexcellence PH: 317.423.3548 x23 TF: 800.808.6332 x23 FX: 317.423.8735 [EMAIL PROTECTED] www.webexc.com --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --- You are currently subscribed to activeserverpages as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% --- You are currently subscribed to activeserverpages as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
