Classic ASP – maintaining sessions between secure and non-secure pages

If you use secure (SSL) and non-secure pages on your IIS-powered web site, and are using session variables to hold information about your users, you most likely will find those session variable values disappearing as your user switches from non-secure to secure pages – for example, they are in your online shop, and then click to Checkout and Pay.

The problem is IIS – by default it creates a new sessionId for users when they hit the SSL pages – so any session values you already created against the non-secure page sessionId are lost.

It’s easy to fix, in IIS7 anyhow. In IIS go to the properties for your web site and open the ‘ASP’ properties page. There is an option down the bottom entitled ‘New ID on Secure Connection’. By default this is set to True. Change it to False and click the Apply link.

https_session

Switching between SSL and non-SSL can also be a reason users experience a time out, or seem to be automagically logged out in the middle of something.

One thought on “Classic ASP – maintaining sessions between secure and non-secure pages

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s