我如何共享HTTP和HTTPS之间一个asp.net会议上 [英] how can I share an asp.net session between http and https

问题描述

我读到定期HTTP运行的另一个页面（或相同为此事）HTTPS连接不能共享一个InProc会话（基于饼干）下运行的页面。我的网站Server 2003上运行，IIS 6和.NET 2.0。

I read that a page which runs under an https connection cannot share an InProc Session (based on cookies) with another page (or the same for that matter) running under regular http. My site is running on Server 2003, IIS 6 and .Net 2.0.

一些实验后，似乎它同时通过HTTPS即使在纯HTTP运行CAN随后访问数据连接会话存储数据的页

After some experiments it appears that a page which stores data in session while being connected through https CAN subsequently access the data even if running under plain http.

那么，有没有可能或者我应该走了过来，并期待在SSL配置？

So, is it possible or should I go over and look for flaws in the SSL configuration?

推荐答案

MSDN ：

当用户来回移动
  安全和公共区域之间，所述
  ASP.NET生成会话cookie（或
  URL如果启用了cookie的
  会话状态），与他们在移动
  明文，而认证
  饼干永远不会越过
  未加密的HTTP连接的只要
  为安全cookie属性设置的

所以基本上，该cookie可以在HTTP和HTTPS传送如果安全属性设置为假

So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.

我已经加入该到我的的Global.asax 文件回避这个问题：

I have avoided this issue by adding this to my Global.asax file:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

这意味着，如果通过HTTP创建会话cookie，它只会通过HTTPS访问的。

This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.

这篇关于我如何共享HTTP和HTTPS之间一个asp.net会议上的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！