Keeping session variables after a move to secure.domain.com?

S

starwiz

Member
Joined
Jul 2, 2003
Messages
21
When a user enters my site, I write out an ID for that hit to a session variable...my session IDs are kept in cookies.

Everything works well for what Im trying to do...until the user moves to the secure portion of my site. As soon as he or she does that, the session cookie in which I keep the ID is invalidated, and I lose the cookie. The secure domain is simply "secure.mydomain.com".

I could store the session ID in the URL, but there are other problems working against that; Id rather keep it in a cookie.

So how can I keep the cookie (and the user session) across two domains?

Thanks for your help; I really appreciate it.

-Starwiz
 
If you set the Domain property of the cookie to "mydomain.com", you should have no problems reading it from "secure.mydomain.com". Sessions cookies are invalidated when the browser is closed, not when the user leaves the site.
 
First of all, because theyre cookies created by ASP.net for session variables, Im not sure how to change the domain property of them.

Secondly, if the domain property of those cookies is automatically set correctly by ASP.net, what else could be causing this problem, and how would I go about fixing it? (i.e. why would it seem like Im losing the cookie, and how can I fix it?)
 
When a session starts write out its associated ID to a cookie and poll it from the secure server when need be. You will not be able to keep the session across the servers, however the ID you wrote out to the cookie will be accessible from the secure server, allowing you to create a new session and continue the users transaction seamlessly. Realize this isnt elegant, but session nature is the inhibitive factor in this case.
 
When a session starts write out its associated ID to a cookie and poll it from the secure server when need be.
Click to expand...

Im trying that, and its not working.

If the domain of the cookie is secure.mydomain.com, it can only be written to the users computer from secure.mydomain.com. The user doesnt enter secure.mydomain.com first, so I cant write it out like that. However, this cookie can be read by the secure site.

If I change the domain of that cookie to mydomain.com, my program in the secured portion of the site cannot read the cookie (this very well could be a problem with my code...I havent a clue), and that cookie cannot be written by the secured pages.

What am I doing wrong?

In case it helps, my code for reading and writing the cookie follows:

Code: 
  Public Sub WriteSessionHitID()
    AdvanceNextHitID()
    mySession(SessionHitIdName) = NextHitID - 1
    NextHitID is a property that returns an int
    Dim Cookie As New System.Web.HttpCookie(CookieName)
    cookiename is a constant...
    Cookie.Domain = CookieDomain
    Cookiedomain is a constant for the domain of the cookie
    Cookie.Secure = True doesnt seem to make a difference
    Cookie.Expires = System.DateTime.Now.AddDays(CookieDays)
    currently, cookiedays = 1...its another constant
    Cookie.Value = NextHitID - 1
    myResponse.Cookies.Add(Cookie)
  End Sub

  Public ReadOnly Property SessionHitID() As Integer
    Get
      Try
        try to get it from the session first
        Return CInt(mySession(SessionHitIdName))
        if this doesnt work, try the cookie, accessed by the secure site
      Catch
        Try
          try to get it from the cookie, next
          Return CInt(myRequest.Cookies(CookieName).Value)
          if the cookie isnt out there either...
        Catch
          Return 0
        End Try
      End Try
    End Get
  End Property

Thanks a lot for any help you can give me...

-Starwiz
 
Back
Top