I have an ecommerce website written in Classic ASP that uses Session to store shopping cart content and other things.
Items are added to the cart in HTTP and when the user checks out they are taken to HTTPS. At this point there is no issue, the HTTPS checkout page gets the Session values correctly.
Problem is that if they click to go back to the shopping cart (HTTP) the Session is lost.
If they then add items to the cart they show correctly in the shopping cart (HTTP).
But when they checkout again (HTTPS) the items that were in the original Session before it disappeared are back.
If they go back to the HTTP shopping cart page the different items are there.
So in summary the first time I transition from HTTP to HTTPS it works fine, but after that it is like there is two independent Sessions.
The domain name is exactly the same for HTTP and HTTPS.
The website is hosted in a shared hosting environment. It is IIS7 on a 64-bit Server.
I have tried integrated and classic managed pipeline mode.
In web.config I have made the setting for same sessions for HTTP and HTTPS, like this:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<location path="Default Web Site">
<system.webServer>
<asp>
<session keepSessionIdSecure="false" />
</asp>
</system.webServer>
Any idea how I can fix this problem?
Update: Looking at the HTTP headers it seems that when it goes to HTTPS that a second ASP Session Cookie is created. Not sure why that clears the first one. When back to HTTP there is only the original cookie but it no longer has any values in the session so presumably the new cookie has been assigned and the previous one is no longer valid.