Hi Nicholas, Most browsers support passing the same "session-cookie" key between HTTP and HTTPS addresses, for the same "domain". This is not a problem.
But as far as most every browser is concerned, www.mysite.com and subdomain.mysite.com are two completely different sites (regardless if they both point at the same IP address) and are not associated in any way. Therefore, a browser will not associate a "session-cookie" captured by one site with another site. I believe this is also true for changing port numbers on the end of the domain name. These rules are in place to make "session-cookies" visible to the assigned address only - but invisible to other domains. This is to protect your "key" from being exposed to sites with malicious intent. I believe this standard is covered with RFC2964 http://rfc.net/rfc2964.html Of course, the reliable implementation of this standard is up to the various Browser manufactures. I know MS Internet Explorer does work this way (because that's all I program for), but I can't speak for other lesser browsers. One of the technical differences between "session-cookies" and regular cookies is that "session-cookies" are only stored in memory while the associated windows are open. "session-cookies" are NOT written to the harddrive like other cookies. Once you close all the Windows spawned by the original Parent, as well as the Parent - then the "session-cookies" are automatically purged from memory and destroyed. Which is why "session-cookies" are widely regarded as "safe" cookies and don't typically fall under cookie blocking rules for newer browsers. This is why most browser will have enable/disable settings for both types. Please note the terminology I've used here may vary between browser brands. By the way, do let Witango assign your "session-cookie" (a.k.a. <@USERREFERENCE>) for you. If you want to roll your own session key - make sure you know what you're doing by reading the RFC standards on cookie assignments. Hope this helps. Cheers....... Scott Cadillac, XML-Extranet - http://xml-extra.net 403-281-6090 - [EMAIL PROTECTED] Well-formed Development -- Extranet solutions using C# .NET, Witango, MSIE and XML > -----Original Message----- > From: Nicholas Froome [mailto:[EMAIL PROTECTED] > Sent: Monday, June 02, 2003 4:41 PM > To: [EMAIL PROTECTED] > Subject: RE: Witango-Talk: Licensing Errors / session cookies > > > > >So if the parent is www.mysite.com but the popup (child) is for > >subdomain.mysite.com (regardless if this points to the same > server), or the > >IP address of www.mysite.com - the Browser will treat this > as a completely > >different site and will not assign the "session-cookie" key > - which spawns a > >new session with the Server. > > > Do session cookies persist across sessions that mix http and > https calls to the same domain / subdomain? I assume they do... > > ______________________________________________________________ > __________ > TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf > ________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/maillist.taf
