HTTP和HTTPS之间经典的ASP会话的怪事 [英] Classic ASP session weirdness between HTTP and HTTPS

问题描述

我已经写在传统的ASP的电子商务网站，使用会话来存储购物车的内容和其他东西。

项目被添加到购物车中的HTTP，当用户检查出在拍摄到HTTPS。在这一点上没有任何问题，HTTPS结帐页面正确获取会话值。

问题是，如果他们点击回到购物车（HTTP）会话丢失。

如果他们然后将项目添加到他们的购物车中正确显示购物车（HTTP）。

但是，当他们再次结帐（HTTPS）是在原来的会议之前消失的物品回来了。

如果他们回到HTTP购物车页面的不同项目的存在。

因此​​，在总结从HTTP我第一次过渡​​到https它工作正常，但之后，它就像有两个独立的会话。

域名正是HTTP和HTTPS一样的。

该网站是一个共享的主机环境中承载。这是IIS7一个64位服务器上。

我曾尝试集成和经典托管管道模式。

在web.config中我已经为HTTP和HTTPS会话一样，这样的设定：

 ＆LT;？XML版本=1.0编码=UTF-8＆GT？;
＆LT;结构＆gt;
    ＆LT;位置路径=默认Web站点＆GT;
        ＆LT; system.webServer＆GT;
            ＆LT; ASP＆GT;
                ＆LT;会议keepSessionIdSecure =FALSE/＆GT;
            ＆LT; / ASP＆GT;
        ＆LT; /system.webServer>
 

任何想法，我怎么能解决这个问题？

更新：纵观HTTP头看来，当它去HTTPS，第二次ASP会话Cookie创建。不知道为什么扫清第一个。当返回HTTP，只有原来的Cookie，但它不再有出席会议的所有值，因此presumably新的cookie已分配和previous一个是不再有效。

解决方案

  

更新

  
  

其实这些设置是等价的只是当我这样做是通过GUI在IIS中它更新的applicationHost.config 不是的web.config 文件，也许这就是区别？在的applicationHost.config 在的％SystemRoot％\\ SYSTEM32 \\ INETSRV \\ CONFIG 找到。

  
  

当你在共享工作宿主环境可能无法访问，虽然。这发生在我的另一件事是你的配置值＆LT;地点＆gt; 路径属性设置为默认Web站点。我猜这不会是你的虚拟主机网站的名字，所以它适用的配置到当前目录下，我只想删除路径属性。

有关ASP则需要指定新ID的安全连接等于假下的IIS中的ASP节配置（见图片）。默认情况下ASP会造成安全和不安全连接之间进行切换时，一个新的cookie，它设置为false将保持整个相同的cookie HTTP和HTTPS。

I have an ecommerce website written in Classic ASP that uses Session to store shopping cart content and other things.

Items are added to the cart in HTTP and when the user checks out they are taken to HTTPS. At this point there is no issue, the HTTPS checkout page gets the Session values correctly.

Problem is that if they click to go back to the shopping cart (HTTP) the Session is lost.

If they then add items to the cart they show correctly in the shopping cart (HTTP).

But when they checkout again (HTTPS) the items that were in the original Session before it disappeared are back.

If they go back to the HTTP shopping cart page the different items are there.

So in summary the first time I transition from HTTP to HTTPS it works fine, but after that it is like there is two independent Sessions.

The domain name is exactly the same for HTTP and HTTPS.

The website is hosted in a shared hosting environment. It is IIS7 on a 64-bit Server.

I have tried integrated and classic managed pipeline mode.

In web.config I have made the setting for same sessions for HTTP and HTTPS, like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <location path="Default Web Site">
        <system.webServer>
            <asp>
                <session keepSessionIdSecure="false" />
            </asp>
        </system.webServer>

Any idea how I can fix this problem?

Update: Looking at the HTTP headers it seems that when it goes to HTTPS that a second ASP Session Cookie is created. Not sure why that clears the first one. When back to HTTP there is only the original cookie but it no longer has any values in the session so presumably the new cookie has been assigned and the previous one is no longer valid.

解决方案

Update

Actually these settings are equivalent just when I do it through the GUI in IIS it updates the applicationHost.config not the web.config file, maybe this is the difference? The applicationHost.config can be found in %SystemRoot%\System32\inetsrv\config.

As you are working in a Shared Hosting Environment you may not have access to that though. The other thing that occurred to me is your configuration value the <location> path attribute is set to Default Web Site. I'm guessing this will not be the name of your Shared Hosting Website, I would just remove the path attribute so it applies configuration to the current directory.

For ASP you need to specify New ID on Secure Connection equal to False under the ASP section in the IIS configuration (See image). By default ASP will create a new cookie when switching between secure and insecure connections, setting it to False will maintain the same cookie across HTTP and HTTPS.

这篇关于HTTP和HTTPS之间经典的ASP会话的怪事的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！