perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Chamas <j...@chamas.com>
Subject Re: How can I call the SessionID from SSL
Date Fri, 28 Feb 2003 01:57:07 GMT
Fernando Munoz wrote:
> My application generates the session ID under HTTP (unencryted) and in some
> point I need to take information that will be required using HTTPS (SSL
> encrypted). I've noticed that my session ID changes when y change the
> protocol. How can I keep/access the original Session ID (the one generated
> under HTTP) under HTTPS?
> 

You could try using SessionQueryParse and SessionQueryParseMatch
and SessionQueryForce.

HOWEVER, you shouldn't make this work.  If you have session-id going
over HTTP, it is not secure.  If you made it work under HTTPS concurrently,
then you would have a security problem with your application in that someone
could packet sniff the session-id, and then walk in as that user into
the "secure" part of your application.

Therefore, make sure you do not have the same session being used
across SSL & non-SSL HTTP pages.

Regards,

Josh
________________________________________________________________
Josh Chamas, Founder                   phone:925-552-0128
Chamas Enterprises Inc.                http://www.chamas.com
NodeWorks Link Checking                http://www.nodeworks.com


---------------------------------------------------------------------
To unsubscribe, e-mail: asp-unsubscribe@perl.apache.org
For additional commands, e-mail: asp-help@perl.apache.org


Mime
View raw message