p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

proasp_codeclinic thread: not reading cookie contents when I shift to secure server


Message #1 by <odempsey@b...> on Wed, 26 Sep 2001 00:19:03 +0100
Thanks Ken,
that makes sense.
Have you any ideas how I can get around this problem?
I can only think of the following solutions:-
  1.. I could send the user to the 
'https://ssl.utvinternet.com/irish-roots/addtocart.asp'  but then 
everytime the user clicks on Add to Cart Windows will display the 
warning, you are moving to a secure server!  which would be annoying to 
the user.
  2.. Session variables probably won't work either for security reasons.
  3.. I could have the user on the secure server as soon as they start 
shopping but this is discouraged by our host. (maybe I have no choice 
though!)
What so you think?

Kind Regards
Oliver Dempsey

----- Original Message -----
From: "Ken Schaefer" <ken@a...>
To: "Code Clinic" <proasp_codeclinic@p...>
Sent: Wednesday, September 26, 2001 7:40 AM
Subject: [proasp_codeclinic] Re: not reading cookie contents when I 
shift to secure server


> Firstly a cookie can be read only by a single host, or a single 
domain. You
> can't set a cookie that can be read by multiple domains.
>
> If your domain is irish-roots.com you can either set a cookie that can 
be
> read by utvinternet.com (but can't be read by irish-roots.com), or you 
can
> set a cookie that can be read by irish-roots.com (but can't be read by
> utvinternet.com). This is a privacy measure, otherwise advertisers etc 
could
> track you no matter where you went on the internet...since they could 
start
> setting cookies that could be read by any domain.
>
> Secondly, not all cookies that are set under http:// can be retrieved 
under
> https:// - this is a security precaution. If a cookie is marked as 
secure
> (your cookie isn't), then it can only be set and retrieved under 
https:// -
> again, this is a security precaution, since you might be putting 
sensitive
> data into the cookie, which would be protected during transmission 
when
> using https://, but would be sent as plain text if the user accidently
> switched to http://
>
> Cheers
> Ken

  Return to Index