I have an e-commerce site written in classic ASP that uses a session to store the contents of a shopping cart and other things.
Items are added to the cart via HTTP, and when the user checks them, they switch to HTTPS. There is no problem at this point, the HTTPS verification page correctly displays the session values.
The problem is that if they click to return to the shopping cart (HTTP), the session will be lost.
If they then add items to the cart, they are correctly displayed in the shopping cart (HTTP).
But when they check again (HTTPS), the elements that were in the original session before it disappeared returned.
If they return to the HTTP Recycle Bin page, there will be different elements.
So, the first time I switch from HTTP to HTTPS, it works fine, but after that it looks like two independent sessions.
The domain name is exactly the same for HTTP and HTTPS.
The website is hosted in a shared hosting environment. This is IIS7 on a 64-bit server.
I tried the integrated and classic managed pipeline mode.
In web.config, I set the parameter for the same sessions for HTTP and HTTPS, for example:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="Default Web Site">
<system.webServer>
<asp>
<session keepSessionIdSecure="false" />
</asp>
</system.webServer>
Any idea how I can fix this problem?
Update. Looking at the HTTP headers, it seems that when it switches to HTTPS, a second ASP Session Cookie is created. Not sure why this clears the first one. Returning to HTTP, there is only the original cookie, but it no longer has values in the session, so presumably a new cookie has been assigned and the previous one is no longer valid.