0
Good afternoon. I have an application running on the internet and would like some pages to be run by https and not http. I’m testing like this: I enter the application in an http page. This http page calls an https page. When I enter this https page I have checked that session variables are lost. Is that really how it works, or am I doing something wrong? Can I do so, just call a few pages via https or do I have to run the entire application on https? Thank you
0
There could be three problems there.
Most likely the pages are in separate domains or subdomains. Hence it is not a matter of HTTP/HTTPS itself, but rather that the browser considers them to be two separate servers, and so does not forward the cookie domain 1 (which happens to be HTTP) for domain 2 (which happens to be HTTPS).
After checking whether the cookie session is coming to both servers, you need to check if both servers are recording/loading session data from the same place (same shared folder, same database, same memcached).
That is, if the cookie you’re right but the language can’t access the data, so it will open an empty session anyway.
secure and not secure mixedWhen checking whether the cookie session is coming up on both servers, notice if it are rigorously the same, or if by chance one of them contains the tag secure.
Cookies secure by default are not sent on HTTP connections, so you may be receiving a different cookie on the HTTPS connection that does not go on the HTTP connection.
Hello. Thank you for the answer. Comments: pages are in the same folder. For example1 (http) calls exemple2 (https), which are in the same location. I am not using cookies. I am using session variables like Session("name") - the pages are built in classic Archive. If you have any more tips thank you.
I do not understand anything of the use of ssl but I suspect that I discovered what is happening... I’m testing with a shared ssl, which changes the address of my page and not just swapping http for https. This must be why you lose session variables...
Yes, which is point number 1, different domains. The browser knows nothing if the files are in the same directory. For the browser (and cookies) only matter if it is the same domain, which appears in the browser URL. See there if you can not put the whole site in HTTPS.
Thank you so much! I’m looking to get my own certificate. Hugs
Accept in the answer? The local solution depends on the specific web server configuration, but the answer answers the general reason, and at least forwards how to solve.
Browser other questions tagged ssl https session
You are not signed in. Login or sign up in order to post.
http://answall.com/questions/26610/como-funciona-a-sessão-em-navegadores-web
– Diego