Separate ASP.NET Session IDs for http and https

Question

Separate ASP.NET Session IDs for http and https

I am working on a site that uses an asp.net session insecure cookie. The session is divided between http and https. We want to use different sessions for http and https (for security reasons).

Whether it is configurable in ASP.NET, the httpCookies configuration element in system.web is not specific enough. I would rather not program this.

If this is not possible, which approach should be taken?

+3

http asp.net https session

Jaap Jun 15 '09 at 13:21

source share

1 answer

Jeremy sullivan · Accepted Answer · 2009-06-15T13:54:03+0000

I would install https files in a folder called "Safe" as a sub-application of an http application in IIS. Right-click My Computer (or the computer in Windows Server 2008) and click Manage. Expand Services, then Internet Information Service, then Web Sites. Then expand your site and right-click on the "Safe" folder that you just created. On the default tab, click Create Application. Anytime you have a link to the https page, make sure you use " https://www.yourdomain.com/Secure/"on the front of the URL. I would just use the configuration setting in web.config to set this url string as a programming value. Then your https sub-application will set a new session cookie, as this is a separate application.

Separate ASP.NET Session IDs for http and https

More articles: