Hi All

I've noticed on quite a few ASP sites that when they have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.

I've used the Session var method before to check if a user can have access to pages, but how on earth can I keep a handle on this when I flip the user between my standard http to my https sites (and vice versa) when this effectively loses the Session var (and cookie values for that matter).

If I have to post certain data between the sites then surely this causes some kind of security breach.

Would I have to do the following:

1) On https, user enters their login and password.

2) These details are valid so I flag a session var on the https to say that they can order stuff, look at certain pages, etc.

3) When the user clicks one of the page links back to say a Contact us
(http) page then this link must contain the username and password that they
entered.

4) Now that they are back in the http world, I do another DB query to
validate this details and set a session var in the http.

The above seems very messy for 2 reasons:

1) On the https pages I need to build the username/password into every
single visible link that goes back to the http so that I can trap what the user is going to click on to go back.

2) The session var timeouts for the http and https are going to be out of sync because the user might be looking at their account for say 5 mins under https and then go back to the http.

I'm using 1 x MySQL db for my data, cart and to hold the login info.

If anybody has had this problem before and found a way round it, could you please give me some pointers.

Thanks

Rob