I have a web application that, after logging in, personalizes almost all pages.
I want some very specific pages to be blocked with SSL, which may have sensitive information. From what I could find, after logging in through the SSL login page (website area), the session information that I use to store a lot of personalization and user credentials is not available for the part that does not contain the SSL website as they are considered 2 separate applications.
This MSDN document pretty much talks about what I'm talking about: MSDN Domain
Note. If you use this type of site structure, your application should not rely on the user ID on non-SSL pages. In the previous configuration, authentication bits are not sent for requests to non-SSL pages. As a result, the user is considered anonymous. This has implications for related functions, such as personalization, which require a username.
I also do not use forms authentication. When a user subscribes to a session object, their credentials are stored, including their IP. If this session object exists for a specific user with the same IP address, they are considered “signed” and personalization features are enabled.
So my question is: are there any problems associated with this, so that my page on the page and on the other page uses SSL, and the reset site does not, and all pages have access to the same session variables
If anyone can suggest any other ways to accomplish the same type of personalization?
source
share