Just some background on the issue. I have 2 domains (http://www.mywebsite.com and http://www.otherwebsite.com) that both point to the same IP on a single server. I also have an SSL certificate for purchasing items on my site with only one of the already mentioned domains (https://www.mywebsite.com). On my site you can surf about and store a cart on either domain using the session, and then when it comes to purchasing you have to log in (using the Asp.Net Membership in this case). I'm trying to find a solution to instances where someone is shopping about under http://www.otherwebsite.com building up a cart in the session, and then upon loggin in or requiring the SSL certificate, switch over to the SSL domain for a secure financial transaction.

Is sharing the session over the server between 2 domains even a possibility? Am I even going abou tthis the right way? If anyone has any easier solutions please enlighten me.

Thanks!

Hi,
As per my knowledge, for same domain if you switch from http://xyz.com to https//:xyz.com
you will not lose session. 
You can share session using State server or SQL server.
Read more about single sigon on and Network load balancing

http://www.codeproject.com/KB/web-security/aspnetsinglesignon.aspx

http://www.west-wind.com/presentations/loadbalancing/networkloadbalancingwindows2003.asp

-Satalaj


 

satalaj:

Hi,
As per my knowledge, for same domain if you switch from http://xyz.com to https//:xyz.com
you will not lose session. 
You can share session using State server or SQL server.
Read more about single sigon on and Network load balancing

http://www.codeproject.com/KB/web-security/aspnetsinglesignon.aspx

http://www.west-wind.com/presentations/loadbalancing/networkloadbalancingwindows2003.asp

-Satalaj


 

keep session state = server.

hope it should help

Yeah Ok, I had heard about using the SQL Server for your Session. How do I get it to share between domains now that I've gotten the Db set up to store sessions? 

deload:

Yeah Ok, I had heard about using the SQL Server for your Session. How do I get it to share between domains now that I've gotten the Db set up to store sessions? 

There are two solutions that come to mind:

1. Switch to using subdomains, such as site1.domain.com and site2.domain.com, and modify the domain property of the session cookie so that the browser sends it with requests from both domains (the easiest way to do that is in an HttpModule)

2. Or, add some JavaScript / Ajax to the page the user hits when the session is first activated, and have that script pass the session ID to the other domain, which then sets the session cookie.  With this approach, the session ID should probably be encrypted and restricted in other ways (maybe timestamped and hashed with the IP of the client) to prevent session theft.

There may be some corner cases with regard to session expiration / renewal; be sure to test carefully.

RickNZ:

2. Or, add some JavaScript / Ajax to the page the user hits when the session is first activated, and have that script pass the session ID to the other domain, which then sets the session cookie.  With this approach, the session ID should probably be encrypted and restricted in other ways (maybe timestamped and hashed with the IP of the client) to prevent session theft.

That sounds like the best option... do you have any links with tutorials or walkthroughs on how to do that? Much appreciated.

deload:

That sounds like the best option... do you have any links with tutorials or walkthroughs on how to do that? Much appreciated.

No, sorry.  Would be a good subject for a blog post, though....