Sorry, I'm not always as precise with my terminology as I should be.
When I refer to "Application" below I am not referring to the ASP
Application Object, but to the IIS Web Application directory (and what
happens when a browser visits that IIS Web Application).
From IIS Server Administration Help:
----------------------------------------------------------------------------
-----
An IIS application is any file that is executed within a defined set of
directories in your Web site. When you create an application, you use the
Internet Information Services snap-in to designate the application's
starting-point directory (also called an application root) in your Web site.
Every file and directory under the starting-point directory in your Web site
is considered part of the application until another starting-point directory
is found. You thus use directory boundaries to define the scope of an
application.
Application Starting-Point
In the Internet Information Services snap-in, an application starting point
is indicated by a package icon. The following graphic shows an application
with a starting-point directory named /SiteAdmin:
- Sales
+SiteAdmin
+Login
+Order
+SetupDB
The files in the \Login, \Order, and \SetupDB directories are considered
part of the /SiteAdmin application.
You can have more than one application per Web site. The default Web site
that is created when you install Internet Information Services is an
application starting point.
Internet Information Services supports ASP, ISAPI, CGI, IDC, and SSI
applications. An application can share information among the files in the
application; for example, ASP applications share context flow, session
state, and variable settings across the pages of the application.
There can be multiple IIS Web Application directories on a web server.
Each IIS Web Application has 1 ASP Application Object and "n" Session
Objects (one for each browser).
On my server I have a "Jobs" application directory, a "Road Conditions"
application directory, and a "Tax Map" application directory.
As a browser visits pages in a given Web Application a Session Object
specific to that Web Application/Broswer is created.
The Session variables set in "Jobs" (by a given user) are not available to
the ASP pages in "Road Conditions", etc.
However, the same SessionID Cookie is used for each of these IIS Web
Applications.
Anyway, my question is still:
How do you force IIS to create a different Session ID for the secure pages?
Do I have to do something to issue a new SessionID for the secure part of my
website, or is IIS smart enough to do that after the fix is applied?
Dave
-----Original Message-----
From: Peter Lanoie [mailto:planoie@e...]
Sent: Thursday, March 01, 2001 1:30 PM
To: Security_asp
Subject: RE: ASP Session ID under SSL
Ummm no...
I'm sorry that I can't contribute much to the discussion about SSL, but I
couldn't help but mention that you are off a little in your understanding of
ASP Applications and Sessions.
You have a web application. 1 Application per "WEB" under IIS. Typically,
you are only working in one application at a time.
The application begins upon the first request to any page within that
application web after the server is started. The application ends when the
server is stopped.
That application has multiple sessions. Every separate browser that
requests pages is a separate session.
Usually your sessions are all set up the same, with the same timeout value.
I suppose that you could create a different timeout, that is just a matter
of coding in the session.timeout property.
The session dies when you issue the abandon method, when the session times
out, or when a browser closes. I have had no luck using the Session_OnEnd
handler.
One thing that you have to be careful of with the Abandon method is that you
can't call that method, then try to set session variables. Kind of in the
same way that you can't expire a cookie then set it. The browser will see
the expire and not set the cookie. I fought with this for some time once. I
was clearing the cookie (expiring it) then setting it again. In testing I
added in a cookie read in the same page. In that order on the same page it
works... Expire, Set, Read. But the next page (i.e. a brand new request
which sends the cookie contents) will have no cookies, so a read will fail.
This all may be similar to the functionality of sessions - as they use a
cookie as well.
Hope that helps.
Peter
-----Original Message-----
From: SHUNK Dave [mailto:Dave.SHUNK@c...]
Sent: Thursday, March 01, 2001 3:17 PM
To: Security_asp
Subject: RE: ASP Session ID under SSL
A few weeks ago I experimented with Sessions and here is what I found.
(At least what I think I found. :) Please correct me if I am wrong.)
'Microsoft ASP Sessions:
'
' SessionID_Cookie
'
' Root_Application
' +-----------------+-----------------+
' Application1 Application2 Application3
' | | |
' Var1,Var2... Var1,Var2... Var1,Var2...
'
'There is one temporary SessionID Cookie that is shared by all of
'the Applications.
'Once the temporary Cookie is set for the browser it will not change
'until the browser closes.
'
'A Session Object is used to store the data for each "Session".
'
'Each Application is a separate "Session" and has it's own set of
'Properties and Variables.
'
'Each Application has it's own TimeOut property.
'A TimeOut deletes the Session Object for that Application.
'In other words it deletes the Properties and Variables for that
'Application. It does not delete the SessionID_Cookie.
'
'Session.Abandon functions the same as a TimeOut.
In my testing a Session.Abandon did not give me a new cookie.
What I did was visit a page in each of the applications, set a variable or
two, and then do a Session.Abandon in one of the applications. The
Properties and Variables for that application would go away, but the Cookie
remained (because the other applications were using it).
I am confused by:
<snip><snip>
Best practices recommend that web sites use different Session IDs for secure
and non-secure pages
</snip></snip>
How do you force IIS to create a different Session ID for the secure pages?
Do I have to do something to issue a new SessionID for the secure part of my
website, or is IIS smart enough to do that after the fix is applied?
Thanks, I really appreciate your help.
Dave Shunk
View Cart
