Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m working on a website that uses a non-secured asp.net session cookie.
The session is shared between http and https.
We want to use different sessions for http and https (because of security reasons).
Is this configurable in ASP.NET, the httpCookies config element in system.web isn’t specific enough. I’d rather not programatically build this.
If it’s not possible, what approach should I take?
I would setup the https files in a folder called “Secure” as a sub-application of the http app in IIS. Right click on My computer (or Computer in Windows Server 2008) and click on “Manage”. Expand Services, then Internet Information Service, then Websites. Then, expand your website and right click on the “Secure” folder that you just created. On the default tab, click Create Application. Anytime that you have a switch to a https page, make sure that you are using “https://www.yourdomain.com/Secure/” on the front of the url. I would just use a Configuration Setting in web.config to set that url string as a programmatically accessible value. Then, your https sub-application will set you a new session cookie as it is a separate application.