asp.net can you mix cookieless with cookie session stored session data?

Question

Is it possible to use mixed cookieless sessions with cookie sessions?

I've an application that captured user details and then redirect for payment to an ssl page. I was wondering if this is possible?

http://www.mydomain.com/confirm.aspx

redirects to

https://www.mydomain.com/(S(za1tw2l2k02jer4fiskzlovd))/payment.aspx

Note: the session Id in the latter url.

So in essence, we use the standard cookie session for the majority of the application but when we transfer to an ssl page we pass the SessionId to the https url to pick up the session. I've tried this locally but it starts a new session.

Am I missing a trick?

Thanks

Answer 1

I've found a solution that seems to work

When transfering between http and https i've the following:

As you can see I'm passing the session id manually to the https page.

protected void btnPurchase_Click(object sender, EventArgs e)
{
        // Confirm puchase code **

        string sslPaymentPath = string.Format("https://{0}/payment.aspx?sid={1}", Request.Url.DnsSafeHost, Session.SessionID);

        Response.Redirect(sslPaymentPath);

}

Upon reaching the ssl page, asp.net sees the request as a new session so I use the Start_Session method in the global.asax to abandon the newly created session and add a new session cookie with the session id passed in from the query string. Because the AquireSessionState which populates the session keyValue pair has already been run by this point I need to redirect the page back to itself to repopulate those values.

It seems to work really well :)

    void Session_Start(object sender, EventArgs e)
    {
        bool isPaymentPage = (Request.Path.ToLower().IndexOf("payment.aspx") != -1);

        // Code to load session over ssl. When changing between two sessions
        if (isPaymentPage && Request.QueryString["sid"] != null && Request.IsSecureConnection)
        {
            string passedSessionId = Request.QueryString["sid"];
            Session.Abandon();
            Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", passedSessionId));
            Response.Redirect(Request.Url.LocalPath, true);
        }
    }

Also with regard to somebody clicking on an external link whilst browsing the ssl purchase.aspx page i've written following in the global.asax to redirect traffic back to standard none ssl pages if it's not the payment page.

void Application_BeginRequest(object sender, EventArgs e)
    {
        bool isPaymentPage = (Request.Path.ToLower().IndexOf("payment.aspx") != -1);

        // In the case someone has navigated away from the payment page redirect them back to the none secure protocol.
        if (!isPaymentPage && Request.IsSecureConnection)
        {
            bool isAxdResource = (Request.Path.ToLower().IndexOf(".axd") != -1);

            if (!isAxdResource)
            {
                string url = Request.Url.AbsoluteUri.ToLower().Replace("https://", "http://");
                Response.Redirect(url,true);
            }
        }
    }

Hope somebody finds this useful, I was stuck for a while trying to come up with a nice solution.

My inspiration came from this url.