iis 7 - Classic ASP session weirdness between HTTP and HTTPS

Question

I have an ecommerce website written in Classic ASP that uses Session to store shopping cart content and other things.

Items are added to the cart in HTTP and when the user checks out they are taken to HTTPS. At this point there is no issue, the HTTPS checkout page gets the Session values correctly.

Problem is that if they click to go back to the shopping cart (HTTP) the Session is lost.

If they then add items to the cart they show correctly in the shopping cart (HTTP).

But when they checkout again (HTTPS) the items that were in the original Session before it disappeared are back.

If they go back to the HTTP shopping cart page the different items are there.

So in summary the first time I transition from HTTP to HTTPS it works fine, but after that it is like there is two independent Sessions.

The domain name is exactly the same for HTTP and HTTPS.

The website is hosted in a shared hosting environment. It is IIS7 on a 64-bit Server.

I have tried integrated and classic managed pipeline mode.

In web.config I have made the setting for same sessions for HTTP and HTTPS, like this:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <location path="Default Web Site">
        <system.webServer>
            <asp>
                <session keepSessionIdSecure="false" />
            </asp>
        </system.webServer>

Any idea how I can fix this problem?

Update: Looking at the HTTP headers it seems that when it goes to HTTPS that a second ASP Session Cookie is created. Not sure why that clears the first one. When back to HTTP there is only the original cookie but it no longer has any values in the session so presumably the new cookie has been assigned and the previous one is no longer valid.

Answer 1

Update

Actually these settings are equivalent just when I do it through the GUI in IIS it updates the applicationHost.config not the web.config file, maybe this is the difference? The applicationHost.config can be found in %SystemRoot%System32inetsrvconfig.

As you are working in a Shared Hosting Environment you may not have access to that though. The other thing that occurred to me is your configuration value the <location> path attribute is set to Default Web Site. I'm guessing this will not be the name of your Shared Hosting Website, I would just remove the path attribute so it applies configuration to the current directory.

For ASP you need to specify New ID on Secure Connection equal to False under the ASP section in the IIS configuration (See image). By default ASP will create a new cookie when switching between secure and insecure connections, setting it to False will maintain the same cookie across HTTP and HTTPS.