Lost Session On Load Balance Server From Http To Https?
Jan 26, 2011
We are currently running an asp.net application with 3.5 framework, using a SQL 2008 back-end. We have found that when we go from http to https we lose our session. Basically you come in on Server01 in http, add an item to your cart go to the secure checkout page (https) and you are now on Serve
I am using partially secured pages ( SSL). Now the problem is when I am switching between HTTPS and HTTP, I am losing my session. I tried storing session in Sql Server Database, its still not working. I am using just ONE web server and all pages are in single application.I am using Sql server 2008 ,IIS 7.0, C#.Net 3.5 I created a self signed test certificate to test my application.
I understand that I am losing my session because my urls are changing with https and http but there has to be someway to overcome this problem. I dont want to put unnecessary load on pages which do not have sensitive data by using https.
I am trying to fix an ASP.NET site that a friend had botched converting from older technologies. To the user, the site appears to have public and secured sections. Behind the scenes, the public and private sites are separate web applications with separate app pools. The difficulty arises because it appears that the applications share the same session IDs (when going from the public to the secured pages, the session ID remains the same), yet none of the (InProc) session variables are getting passed from the public site to the private one. Basically, the workflow consists of the user checking a checkbox ("I agree" type of stuff) on the public site (let's call that page http://www.boring.gov/iAgree.aspx), then logging in on the secured site (let's call that page https://www.boring.gov/login.aspx). The commandments from the parent agency in DC are that the user may not bookmark the login page, the user has to click "I agree" every time they log in, and that the "I agree" stuff has to be on a separate page. What am I missing? How would you do it? Notes:dows 2003 server.2 - Yes, it is a government agency.3 - I would have done things very differently if I was doing the conversion, but I wasn't brought in until the poop hit the fan, and it is too late to redo things.4 - Two previous SO threads that appear to be related, yet don't apply are this and that
Just wondering whether or not Session Variables that are declared and set while in a HTTP session will continue to exist if the users session moves to HTTPS?
Building asp.C# shopping app that is using a hosted payment page to process payments (using posting of data to a hosted payment page). SSL certificate is signed and installed.
Flow:
Prelim) (HTTPS) Users authenticate using asp Login control
1) Users add items to cart.
2) (HTTPS)Users go to checkout page.
3) Users finalize their order, then click pay now after agreeing to T&C.
4) Server gets cart data (from MSSQL2005) and sets a transaction cookie (expiry set to 20 mins).
5) (HTTPS) Server Response.Redirects to an html page (in the same folder as the login protected pages).
6) Html page reads transaction cookie data and generates form fields.
7) (HTTPS) Html page posts data to hosted payment page (php).
8) User enters payment info and clicks pay now.
9) (HTTPS) hosted payment page posts info back to a .aspx page that checks if payment OK.
10a) If payment !OK, redirects to a declined page.
10b) (HTTPS) If payment OK, sets a verification cookie (expiry set to 20 mins). Then redirects to another html page.
11) Html page reads cookie data and generates form fields.
12) (HTTPS) Html page posts data to hosted verification page (php).
13) Verification page verifies (of course), if transaction ok.
14) (HTTPS) verification page posts data to a .aspx page that checks if verification OK.
15) If verification OK, process orders and do receipt stuff.
Issue:
This control flow was tested on an unsigned dev environment. SSL was being enforced, if needed on the unsigned SSL certificate. So we'd get prompts that certificate may be bad, but the control flow worked seamlessly.
However, now live with a signed SSL certificate, going from step 5 to 6, we are encountering a situation where some users (not duplicated every time, but verified that it does occur) when they click pay now and are redirected to the html page, they are forced back to the ~/login.aspx page (as if they were logged out).
Things to note:
a) The session did not time out.
b) The browsers have cookies and javascript enabled.
c) I can process the entire flow seamlessly on the same machine with other accounts, and occasionally, the same account.
So, basically, I'm stumped... Is this a viewstate error? A login control bug that won't let me redirect to an html page because it is now using a real SSL? Anyone have any experience with this kind of deal? I'm at a loss for solutions at this point.
I am planning my web url secured by changing it HTTPS. For this i went to IIS and created a CCR and i went to one of the site and i pasted this to generate a free certificate. But it is showing domain already existing. how to create a certificate and to change the link from HTTP to HTTPS.
i redirect a page from http to https using http module begin request handler .i am calling webservice using ajax but it is saying webserice not defined .which otherwise works fineits work fine when rediect page in page_load instead .but i need to add function for https to http in every page. i still not know why ajax is not working when i use http module for redirect
Every now and then we get the "HTTP/1.1 Session Failed" error on our classic asp pages, not on .NET pages. If I restart IIS it does not fix the problem, only when I restart SQL server does it fix it. This leads me to believe that somewhere connections are not being closed. Now the problem is finding where. Arg. We are running sql server 2008 enterprise on windows 2003, have 6GB RAM and a plenty powerful processor. Does anyone have any suggestions on how to pinpoint the asp/.NET page(s) that are causing this problem? I have tried perfmon and some other tools but am very noob when it comes to these.
I want to redirect http to https. I tried this one,but I have one problem, I have to redirect to another page. The request.url gives the current page, whereas I need to redirect to another page. How do I do that.
As part of a master page template, several sites include a login control. Since the site is served over HTTP, I want the login control, once a successful login has been achieved, to resolve to a portal served over HTTPS.The closest I've seen to achieve this may be here, but I'm not entirely clear on its implementation.Can I get some feedback or suggestions on this?Of course, a simple "Login" link on all pages that point to a login paged served over HTTPS is another solution, but this is not what I'm looking for.
I have a part of my website that uses SSL, and a part that does not. I began having issues recently where the link that takes you to the https part of the site would keep getting rerouted to http. In IIS I have SSL on and required for the members directory, and the certs are all fine. My site is http://mcsd-sc.mcbarons.manheimcentral.org/. I first started by routing the pages directly to the secure part using the <meta http-equiv="refresh" content="0;url=urlgoeshere" /> on a redirect page in the /members directory and this was working perfectly. When my issues started, changed it and made the link just go directly to the members part of the site with the https included in the URL (this is how it is now). Now when you click the link it takes you to the member page without using https, thus throwing an error because I have SSL required on that part of the site. When you look at the code in IE, it just shows the direct link using plain HTTP. When I open the code directly on the server, I see the URL beginning with HTTPS. I've been having a lot of issues lately with updated content not refreshing itself, and rebooting the server does nothing. At this point I'm stumped. I think it might be something in IIS, although I haven't touched it in a long time, unless a recent security update messed it up, which is the only explanation I can think of that would screw it up all of a sudden. The site works perfectly when you manually type https. I thought it might have also been my cache, but I just tried it on a computer that I haven't ever gone to the site on before and I got the same issue.
I have a web page that allows user to make transaction and they are allowed to choose if they want their transaction to be immediately transferred to the payee or for future transfer. I have problem handling future transfer, for an example, I want to transfer $100 to A on 12 August but today is only 09 August. So the amount should be deducted . I decided to make 2 balances; Available and Ledger balances. Available balance is the net balance after doing all the future transfers etc. but for ledger balance is what is available at the point of time. I'm thinking how should I form the query for the SQL statement. Currently, this is what I have. Transfer code = 2 -> future transfer
IF (@TransferCode = '2') BEGIN --Insert into the account transaction table first-- INSERT INTO ACCOUNTTRANSACTIONS (AccountTransID, CustID, TransDate, TransType, Reference) VALUES (@AccTransID,@CustID,@Date,@TransType,@Reference) IF NOT (@Date = Getdate()) IF (@Withdraw > @BankBal) BEGIN INSERT INTO ACCOUNTTRANSITEM (AccountTransItemID, AccountTransID, AccNum, Withdraw, Deposit, status) VALUES (@AccTransItemID, @AccTransID, @AccNum,@Withdraw,@Deposit, 0) PRINT 'INSUFFICIENT AMOUNT IN BANK' SET @ReturnValue = 4 RETURN @ReturnValue END ELSE BEGIN INSERT INTO ACCOUNTTRANSITEM (AccountTransItemID, AccountTransID, AccNum, Withdraw, Deposit, status) VALUES (@AccTransItemID, @AccTransID, @AccNum,@Withdraw,@Deposit, 1) END ELSE IF (@Date = GETDATE()) BEGIN IF (@Withdraw > @BankBal) BEGIN INSERT INTO ACCOUNTTRANSITEM (AccountTransItemID, AccountTransID, AccNum, Withdraw, Deposit, status) VALUES (@AccTransItemID, @AccTransID, @AccNum,@Withdraw,@Deposit, 0) PRINT 'INSUFFICIENT AMOUNT IN BANK' SET @ReturnValue = 4 RETURN @ReturnValue END
We are planning to move our website to https, which currently running on only http only. Web site is running on IIS7 in Windows 2008 server. Do I need to update/modify any configuration settings in the website to make it work on HTTPS? Is it fine just installing certifictes?
I'm having real trouble redirecting pages from http to https on my live website. Everything is fine on my IDE but as soon as I upload it to my shared web host (123-reg.co.uk) I hit a problem. When I try to redirect to https using Response.Redirect it seems a loop occurs and the request is never carried out.
The code I've tried:
[Code]....
and
[Code]....
Both above methods worked fine in my IDE but not on my live system.
In IE nothing happens but in Firefox the below error is displayed:
"Firefox has detected that the server is redirecting the request for this address in a way that will never complete. "
project is built using ASP.NET MVC 2.0. There're some pages is run under https and the rest run under http. Follow the artical I found on StackOverflow (http://stackoverflow.com/questions/2414327/switching-between-http-and-https-in-asp-net-mvc-1-0 ) :1.For pages that need to run under https I just add the attribute [RequireSSL] for the corresspond action method.2.To force all the rest pages run under http I have overriden OnAuthorization in the base controller:
protected override void OnAuthorization(AuthorizationContext filterContext) { if (!Request.IsAjaxRequest())