如何在 http 和 https 之间共享 asp.net 会话 [英] how can I share an asp.net session between http and https

问题描述

我读到在 https 连接下运行的页面不能与在常规 http 下运行的另一个页面(或同样的)共享 InProc 会话(基于 cookie).我的网站在 Server 2003、IIS 6 和 .Net 2.0 上运行.

I read that a page which runs under an https connection cannot share an InProc Session (based on cookies) with another page (or the same for that matter) running under regular http. My site is running on Server 2003, IIS 6 and .Net 2.0.

经过一些实验发现，即使在普通 http 下运行，一个在会话中存储数据同时通过 https CAN 连接的页面也可以随后访问数据.

After some experiments it appears that a page which stores data in session while being connected through https CAN subsequently access the data even if running under plain http.

那么，是否有可能或者我应该检查 SSL 配置中的缺陷?

So, is it possible or should I go over and look for flaws in the SSL configuration?

推荐答案

来自 MSDN:

当用户来回移动时在安全区域和公共区域之间，ASP.NET 生成的会话 cookie(或如果您启用了无 cookie 的 URL会话状态)随着他们进入明文，但身份验证cookie 永远不会被忽略未加密的 HTTP 连接只要因为设置了安全 cookie 属性.

When a user moves back and forth between secure and public areas, the ASP.NET-generated session cookie (or URL if you have enabled cookie-less session state) moves with them in plaintext, but the authentication cookie is never passed over unencrypted HTTP connections as long as the Secure cookie property is set.

所以基本上，如果 Secure 属性设置为 false，cookie 可以通过 HTTP 和 HTTPS 传递.

So basically, the cookie can be passed over both HTTP and HTTPS if the Secure property is set to false.

通过将其添加到我的 Global.asax 文件中，我避免了这个问题:

I have avoided this issue by adding this to my Global.asax file:

void Session_Start(object sender, EventArgs e) 
{
    if (Request.IsSecureConnection) Response.Cookies["ASP.NET_SessionID"].Secure = false;
}

这意味着如果会话 cookie 是通过 HTTP 创建的，则只能通过 HTTPS 访问.

This means that if the Session cookie is created over HTTP, it will only be accessible over HTTPS.

这篇关于如何在 http 和 https 之间共享 asp.net 会话的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！