Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP General > ASP Session

Reply
Thread Tools

ASP Session

 
 
Adil Akram
Guest
Posts: n/a
 
      09-27-2004
I've developed a shopping cart app in ASP, to secure transaction by SSL, it
've put only the checkout page in SSL but all other pages i.e. product, cart
etc remains on non SSL connection. How can I track user session from non SSL
to SSL checkout page as the SessionID changes when shifting to SSL (to
prevent session stealing/ hijacking). I'm tracking user session by putting
SessionID in cart DB with products. Given below the preview of cart table

Cart table

ID SessionID Product Quantity
==================================
1 1234564 product1 5
2 1234564 item2 3
3 1234564 product3 1
4 4234564 product1 1


If I use any custom cookies, hidden form value (whether plain or encrypted),
it can be hacked by sniffing and changing cookie or hidden value and mapping
it to any other ordering session etc.

Please explain in detail with example, what's the best way to implement SSL
in shopping cart application.

regards,
Adil


 
Reply With Quote
 
 
 
 
Ray Costanzo [MVP]
Guest
Posts: n/a
 
      09-28-2004
Well, the only way would be to use a cookie, but you've already ruled out
that. So, the way I see it is that you'll have to do everything in SSL,
from shopping to checkout. Is there any particular reason that you're not
already doing that?

Ray at home

"Adil Akram" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> I've developed a shopping cart app in ASP, to secure transaction by SSL,
> it
> 've put only the checkout page in SSL but all other pages i.e. product,
> cart
> etc remains on non SSL connection. How can I track user session from non
> SSL
> to SSL checkout page as the SessionID changes when shifting to SSL (to
> prevent session stealing/ hijacking). I'm tracking user session by putting
> SessionID in cart DB with products. Given below the preview of cart table
>
> Cart table
>
> ID SessionID Product Quantity
> ==================================
> 1 1234564 product1 5
> 2 1234564 item2 3
> 3 1234564 product3 1
> 4 4234564 product1 1
>
>
> If I use any custom cookies, hidden form value (whether plain or
> encrypted),
> it can be hacked by sniffing and changing cookie or hidden value and
> mapping
> it to any other ordering session etc.
>
> Please explain in detail with example, what's the best way to implement
> SSL
> in shopping cart application.
>
> regards,
> Adil
>
>



 
Reply With Quote
 
 
 
 
Adil Akram
Guest
Posts: n/a
 
      09-28-2004
Hello Ray,

I don't want to put everything in SSL as the most of the big vndors online
put only checkout page in SSL for example I checked the shopping cart of
Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
safe or not.
Please suggest me whatever the best method you know to do this.
Please explain the procedure in detail. I don't need the technical
implementation detail but flow and session tracking details

regards,
Adil



"Ray Costanzo [MVP]" wrote:

> Well, the only way would be to use a cookie, but you've already ruled out
> that. So, the way I see it is that you'll have to do everything in SSL,
> from shopping to checkout. Is there any particular reason that you're not
> already doing that?
>
> Ray at home
>
> "Adil Akram" <(E-Mail Removed)> wrote in message
> news:%(E-Mail Removed)...
> > I've developed a shopping cart app in ASP, to secure transaction by SSL,
> > it
> > 've put only the checkout page in SSL but all other pages i.e. product,
> > cart
> > etc remains on non SSL connection. How can I track user session from non
> > SSL
> > to SSL checkout page as the SessionID changes when shifting to SSL (to
> > prevent session stealing/ hijacking). I'm tracking user session by putting
> > SessionID in cart DB with products. Given below the preview of cart table
> >
> > Cart table
> >
> > ID SessionID Product Quantity
> > ==================================
> > 1 1234564 product1 5
> > 2 1234564 item2 3
> > 3 1234564 product3 1
> > 4 4234564 product1 1
> >
> >
> > If I use any custom cookies, hidden form value (whether plain or
> > encrypted),
> > it can be hacked by sniffing and changing cookie or hidden value and
> > mapping
> > it to any other ordering session etc.
> >
> > Please explain in detail with example, what's the best way to implement
> > SSL
> > in shopping cart application.
> >
> > regards,
> > Adil
> >
> >

>
>
>

 
Reply With Quote
 
Patrice
Guest
Posts: n/a
 
      09-28-2004
My first thought would be to pass a random generated value on the
querystring that allows to the non SSL session to retrieve values for the
SSL session...

You'll have basically a scheme such as :
- create a random key
- save the state
- pass the key to the other session
- the other session can then restore the state

Patrice

--

"Adil Akram" <(E-Mail Removed)> a écrit dans le message de
news:%(E-Mail Removed)...
> I've developed a shopping cart app in ASP, to secure transaction by SSL,

it
> 've put only the checkout page in SSL but all other pages i.e. product,

cart
> etc remains on non SSL connection. How can I track user session from non

SSL
> to SSL checkout page as the SessionID changes when shifting to SSL (to
> prevent session stealing/ hijacking). I'm tracking user session by putting
> SessionID in cart DB with products. Given below the preview of cart table
>
> Cart table
>
> ID SessionID Product Quantity
> ==================================
> 1 1234564 product1 5
> 2 1234564 item2 3
> 3 1234564 product3 1
> 4 4234564 product1 1
>
>
> If I use any custom cookies, hidden form value (whether plain or

encrypted),
> it can be hacked by sniffing and changing cookie or hidden value and

mapping
> it to any other ordering session etc.
>
> Please explain in detail with example, what's the best way to implement

SSL
> in shopping cart application.
>
> regards,
> Adil
>
>



 
Reply With Quote
 
Ray Costanzo [MVP]
Guest
Posts: n/a
 
      09-28-2004
What Patrice said makes sense to me!

Ray at work
"Adil Akram" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hello Ray,
>
> I don't want to put everything in SSL as the most of the big vndors online
> put only checkout page in SSL for example I checked the shopping cart of
> Microsoft, Amazon, Sony etc. I don't know exactly whether using cookie is
> safe or not.
> Please suggest me whatever the best method you know to do this.
> Please explain the procedure in detail. I don't need the technical
> implementation detail but flow and session tracking details
>
> regards,
> Adil
>
>
>
> "Ray Costanzo [MVP]" wrote:
>
>> Well, the only way would be to use a cookie, but you've already ruled out
>> that. So, the way I see it is that you'll have to do everything in SSL,
>> from shopping to checkout. Is there any particular reason that you're
>> not
>> already doing that?
>>
>> Ray at home
>>
>> "Adil Akram" <(E-Mail Removed)> wrote in message
>> news:%(E-Mail Removed)...
>> > I've developed a shopping cart app in ASP, to secure transaction by
>> > SSL,
>> > it
>> > 've put only the checkout page in SSL but all other pages i.e. product,
>> > cart
>> > etc remains on non SSL connection. How can I track user session from
>> > non
>> > SSL
>> > to SSL checkout page as the SessionID changes when shifting to SSL (to
>> > prevent session stealing/ hijacking). I'm tracking user session by
>> > putting
>> > SessionID in cart DB with products. Given below the preview of cart
>> > table
>> >
>> > Cart table
>> >
>> > ID SessionID Product Quantity
>> > ==================================
>> > 1 1234564 product1 5
>> > 2 1234564 item2 3
>> > 3 1234564 product3 1
>> > 4 4234564 product1 1
>> >
>> >
>> > If I use any custom cookies, hidden form value (whether plain or
>> > encrypted),
>> > it can be hacked by sniffing and changing cookie or hidden value and
>> > mapping
>> > it to any other ordering session etc.
>> >
>> > Please explain in detail with example, what's the best way to implement
>> > SSL
>> > in shopping cart application.
>> >
>> > regards,
>> > Adil
>> >
>> >

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Session Timeout problems-web.confg session state and IIS session s =?Utf-8?B?Um9iSEs=?= ASP .Net 4 04-11-2007 04:52 PM
How can i share asp session data with asp.net session data far asl via DotNetMonster.com ASP .Net 3 03-23-2005 05:13 AM
ASP session vs. ASP.NET session Ed ASP .Net 7 02-02-2004 04:59 AM
Session State - What does it take to establish one single ASP.NET session per "browser session" Jeff Smythe ASP .Net 3 01-02-2004 04:10 AM
How can I "know" the difference between a session timed out and a session that did session.abort? Jazzis ASP General 2 09-23-2003 07:16 AM



Advertisments