perl-asp mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Chamas <>
Subject Re: How can I call the SessionID from SSL
Date Fri, 28 Feb 2003 01:57:07 GMT
Fernando Munoz wrote:
> My application generates the session ID under HTTP (unencryted) and in some
> point I need to take information that will be required using HTTPS (SSL
> encrypted). I've noticed that my session ID changes when y change the
> protocol. How can I keep/access the original Session ID (the one generated
> under HTTP) under HTTPS?

You could try using SessionQueryParse and SessionQueryParseMatch
and SessionQueryForce.

HOWEVER, you shouldn't make this work.  If you have session-id going
over HTTP, it is not secure.  If you made it work under HTTPS concurrently,
then you would have a security problem with your application in that someone
could packet sniff the session-id, and then walk in as that user into
the "secure" part of your application.

Therefore, make sure you do not have the same session being used
across SSL & non-SSL HTTP pages.


Josh Chamas, Founder                   phone:925-552-0128
Chamas Enterprises Inc.      
NodeWorks Link Checking      

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message