Wrox Programmer Forums
Classic ASP Databases Discuss using ASP 3 to work with data in databases, including ASP Database Setup issues from the old P2P forum on this specific subtopic. See also the book forum Beginning ASP.NET Databases for questions specific to that book. NOT for ASP.NET 1.0, 1.1, or 2.0.
Welcome to the p2p.wrox.com Forums.

You are currently viewing the Classic ASP Databases section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
Old May 19th, 2004, 05:14 AM
Registered User
Join Date: May 2004
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Passing login state across http and https

Hi All

I've noticed on quite a few ASP sites that when they have a 'MyAccount' section they transfer the site to https and then when you have logged into your account successfully and gone back to the majority of the site you move back to http whilst still being logged in.

I've used the Session var method before to check if a user can have access to pages, but how on earth can I keep a handle on this when I flip the user between my standard http to my https sites (and vice versa) when this effectively loses the Session var (and cookie values for that matter).

If I have to post certain data between the sites then surely this causes some kind of security breach.

Would I have to do the following:

1) On https, user enters their login and password.

2) These details are valid so I flag a session var on the https to say that they can order stuff, look at certain pages, etc.

3) When the user clicks one of the page links back to say a Contact us
(http) page then this link must contain the username and password that they

4) Now that they are back in the http world, I do another DB query to
validate this details and set a session var in the http.

The above seems very messy for 2 reasons:

1) On the https pages I need to build the username/password into every
single visible link that goes back to the http so that I can trap what the user is going to click on to go back.

2) The session var timeouts for the http and https are going to be out of sync because the user might be looking at their account for say 5 mins under https and then go back to the http.

I'm using 1 x MySQL db for my data, cart and to hold the login info.

If anybody has had this problem before and found a way round it, could you please give me some pointers.



Similar Threads
Thread Thread Starter Forum Replies Last Post
migrating http to https RoniR ASP.NET 1.0 and 1.1 Professional 15 April 27th, 2007 01:27 PM
How does one switch from HTTP to HTTPS Aaron Edwards Classic ASP Basics 0 September 29th, 2005 10:32 AM
Passing login state across http and https astra Classic ASP Basics 0 May 19th, 2004 05:19 AM

Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.