HTTP 和 HTTPS 之间的经典 ASP 会话怪异 [英] Classic ASP session weirdness between HTTP and HTTPS
问题描述
我有一个用 Classic ASP 编写的电子商务网站,它使用 Session 来存储购物车内容和其他内容.
I have an ecommerce website written in Classic ASP that uses Session to store shopping cart content and other things.
商品以 HTTP 的形式添加到购物车,当用户结账时,它们会被带到 HTTPS.此时没有问题,HTTPS 结帐页面正确获取 Session 值.
Items are added to the cart in HTTP and when the user checks out they are taken to HTTPS. At this point there is no issue, the HTTPS checkout page gets the Session values correctly.
问题是,如果他们点击返回购物车 (HTTP),Session 就会丢失.
Problem is that if they click to go back to the shopping cart (HTTP) the Session is lost.
如果他们随后将商品添加到购物车中,则它们会在购物车中正确显示 (HTTP).
If they then add items to the cart they show correctly in the shopping cart (HTTP).
但是当他们再次结帐(HTTPS)时,原始会话中消失之前的项目又回来了.
But when they checkout again (HTTPS) the items that were in the original Session before it disappeared are back.
如果他们返回 HTTP 购物车页面,就会发现不同的商品.
If they go back to the HTTP shopping cart page the different items are there.
总而言之,我第一次从 HTTP 转换到 HTTPS 时它工作正常,但之后就像有两个独立的会话.
So in summary the first time I transition from HTTP to HTTPS it works fine, but after that it is like there is two independent Sessions.
HTTP 和 HTTPS 的域名完全相同.
The domain name is exactly the same for HTTP and HTTPS.
网站托管在共享托管环境中.它是 64 位服务器上的 IIS7.
The website is hosted in a shared hosting environment. It is IIS7 on a 64-bit Server.
我尝试过集成和经典的托管管道模式.
I have tried integrated and classic managed pipeline mode.
在 web.config 中,我为 HTTP 和 HTTPS 设置了相同的会话,如下所示:
In web.config I have made the setting for same sessions for HTTP and HTTPS, like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="Default Web Site">
<system.webServer>
<asp>
<session keepSessionIdSecure="false" />
</asp>
</system.webServer>
知道如何解决这个问题吗?
Any idea how I can fix this problem?
更新:查看 HTTP 标头似乎在转到 HTTPS 时会创建第二个 ASP 会话 Cookie.不知道为什么会清除第一个.当返回 HTTP 时,只有原始 cookie,但它在会话中不再有任何值,因此可能已经分配了新 cookie,而之前的 cookie 不再有效.
Update: Looking at the HTTP headers it seems that when it goes to HTTPS that a second ASP Session Cookie is created. Not sure why that clears the first one. When back to HTTP there is only the original cookie but it no longer has any values in the session so presumably the new cookie has been assigned and the previous one is no longer valid.
推荐答案
更新
实际上,当我通过 IIS 中的 GUI 进行操作时,这些设置是等效的,它会更新 applicationHost.config 而不是 web.config 文件,也许这就是区别?applicationHost.config 可以在 %SystemRoot%System32inetsrvconfig 中找到.
Actually these settings are equivalent just when I do it through the GUI in IIS it updates the applicationHost.config not the web.config file, maybe this is the difference? The applicationHost.config can be found in %SystemRoot%System32inetsrvconfig.
当您在共享主机环境中工作时,您可能无法访问该环境.我想到的另一件事是您的配置值 <location> path 属性设置为 Default Web Site.我猜这不会是您的共享主机网站的名称,我只会删除 path 属性,以便将配置应用于当前目录.
As you are working in a Shared Hosting Environment you may not have access to that though. The other thing that occurred to me is your configuration value the <location> path attribute is set to Default Web Site. I'm guessing this will not be the name of your Shared Hosting Website, I would just remove the path attribute so it applies configuration to the current directory.
对于 ASP,您需要在 IIS 配置的 ASP 部分下指定 New ID on Secure Connection 等于 False(见图).默认情况下,ASP 将在安全和不安全连接之间切换时创建一个新的 cookie,将其设置为 False 将在 HTTP 和 HTTPS 之间保持相同的 cookie.
For ASP you need to specify New ID on Secure Connection equal to False under the ASP section in the IIS configuration (See image). By default ASP will create a new cookie when switching between secure and insecure connections, setting it to False will maintain the same cookie across HTTP and HTTPS.
这篇关于HTTP 和 HTTPS 之间的经典 ASP 会话怪异的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
