Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
Classic ASP Basics For beginner programmers starting with "classic" ASP 3, pre-".NET." NOT for ASP.NET 1.0, 1.1, or 2.0
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Basics section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old May 19th, 2004, 05:19 AM
Registered User
 
Join Date: May 2004
Location: , , .
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Passing login state across http and https

Hi All

I've noticed on quite a few ASP sites that when they have a 'MyAccount'
section they transfer the site to https and then when you have logged into
your account successfully and gone back to the majority of the site you move
back to http whilst still being logged in.

I've used the Session var method before to check if a user can have access
to pages, but how on earth can I keep a handle on this when I flip the user
between my standard http to my https sites (and vice versa) when this
effectively loses the Session var (and cookie values for that matter).

If I have to post certain data between the sites then surely this causes
some kind of security breach.

Would I have to do the following:

1) On https, user enters their login and password.

2) These details are valid so I flag a session var on the https to say that
they can order stuff, look at certain pages, etc.

3) When the user clicks one of the page links back to say a Contact us
(http) page then this link must contain the username and password that they
entered.

4) Now that they are back in the http world, I do another DB query to
validate this details and set a session var in the http.

The above seems very messy for 2 reasons:

1) On the https pages I need to build the username/password into every
single visible link that goes back to the http so that I can trap what the
user is going to click on to go back.

2) The session var timeouts for the http and https are going to be out of
sync because the user might be looking at their account for say 5 mins under
https and then go back to the http.

I'm using 1 x MySQL db for my data, cart and to hold the login info.

If anybody has had this problem before and found a way round it, could you
please give me some pointers.

Thanks

Rob





Similar Threads
Thread Thread Starter Forum Replies Last Post
migrating http to https RoniR ASP.NET 1.0 and 1.1 Professional 15 April 27th, 2007 01:27 PM
How does one switch from HTTP to HTTPS Aaron Edwards Classic ASP Basics 0 September 29th, 2005 10:32 AM
Passing login state across http and https astra Classic ASP Databases 0 May 19th, 2004 05:14 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.