[thelist] session and/or cookie persistence across an ssl and non-ssl connection

Chris Blessing webguy at mail.rit.edu
Thu Jan 17 16:05:39 CST 2002


Scott, Anthony-

Thanks for the replies.  I thought I might have been going a little crazy.
It makes sense that a cookie should persist even if the protocol changes,
since the domain information for a cookie is just that, the domain, and not
the url or protocol or anything else.

I will have to do some testing I suppose.  The problem may be that the ssl
and non-ssl sites are both separate "applications" as far as IIS is
concerned, since they're both separate virtuals on the server and both have
their own global.asa.  I'll play around and let ya'll know what I come up
with.  Maybe this will blossom into a tip. ;)

Chris Blessing
webguy at mail.rit.edu
http://www.330i.net

-----Original Message-----
From: thelist-admin at lists.evolt.org
[mailto:thelist-admin at lists.evolt.org]On Behalf Of Scott Dexter
Sent: Thursday, January 17, 2002 4:41 PM
To: thelist at lists.evolt.org
Subject: RE: [thelist] session and/or cookie persistence across an ssl
and non-ssl connection


(thinking carefully)

The ASP session ids are cookies, and are above the SSL negotiation. So
they would persist across SSL and non-SSL connections to the same
application (provided you don't blow up the session or the client's ip
address changes --the same pitfalls with using ASP sessions in the first
place)

Is the SSL site a different web site from the non-SSL? (e.g. in the MMC
they are two different sites) No? Should be good to go....

Or am I missing some details?

sgd
--
work: http://ti3.com/
non: http://thinksafely.org/





More information about the thelist mailing list