Rick Strahl's Weblog  

Wind, waves, code and everything in between...
.NET • C# • Markdown • WPF • All Things Web
Contact   •   Articles   •   Products   •   Support   •   Advertise
Sponsored by:
West Wind WebSurge - Rest Client and Http Load Testing for Windows
advertise here

Loosing a Cookie when switching from http:// to https://

January 10, 2006   •   15 comments
:P
On this page:

I recently changed the code in my online West Wind Web Store to specifically write the one cookie I use in the app to a specific path so that there's no interference with other virtuals also running the store. I thought this was necessary to run successfully with multiple stores.

 

Changing Cookie paths is easy enough and since I use a common cookie class this was easy to do in one place by just making sure that the app writes out the cookie with a common path. By default I write out the Application path with something like this:

 

public void WriteCookie(string Value, bool NonPersistent)

{

    HttpCookie Cookie = new HttpCookie(CookieName,Value);

    Cookie.Path = HttpContext.Current.Request.ApplicationPath + "/";

 

    if (!NonPersistent)

       Cookie.Expires = DateTime.Now.AddMonths(CookieTimeoutInMonths);

 

    HttpContext.Current.Response.Cookies.Add(Cookie);

}

 

I tested this locally and it worked just dandy, so this seemed like an easy enough fix for multiple store cookie overlap.

 

But surprise, surprise I didn't test with HTTPS/SSL. The live store switches from http:// to https:// once the order is submitted and with the application path scoped cookie, and it turns out both IE and FireFox loose the cookie in this transition. If the user was previous logged in to his profile the profile is lost.

 

Worse, even trying to reconnect the cookie under https seems to fail – it looks like under https cookie paths don't work. Everytime I try to reconnect to a new cookie after assigning it is lost.

 

The code starts working on the live site as soon as I comment out the Path assignment.

 

    // Cookie.Path = HttpContext.Current.Request.ApplicationPath + "/";

 

Put the above code back in and - boom - it fails to work again.

 

I took a look at the cookie files and the cookies look just fine. The requests go from http:// to https:// without anything code manipulating the cookie – the cookie just disappears.

 

WebStoreUser

12139eff

www.west-wind.com/wwstore/

1024

4039391232

30053033

3782347520

29759130

*

 

What's odd is that I can see the cookie file actually change as I go through these requests in the http to https transition. If I run the same exact code without the https transition it works fine. If I remove the path from the cookie, it works fine as well.

 

Weird. 

 

Now, lest you think I track my profile with a cookie – no, the cookie is used only to attach to the profile once. The cookie is a permanent cookie I write out so users can automatically reattach to their profile when they return to the site. After the initial Cookie lookup a Session variable tracks the users customer id that points at the customer record. But of course when the cookie goes, the ASP.NET Session Cookie goes with it so the customer link is lost.

 

I'm not quite sure what the heck is happening because don't have a tool to examine the secure https content (Fiddler doesn't work with https) to see where the cookie gets dropped.

 

It works now having changed back to the root path, but anybody have any idea why a virtual path would fail in https?

 


The Voices of Reason

 

albert braun
January 11, 2006

# re: Loosing a Cookie when switching from http:// to https://

for what it's worth, a couple thoughts, in case you haven't already tried these:

does explicitly setting the 'Secure' bool to true on the HTTPCookie help anything?

does the name on the cert exactly match the server name in the url?


Rick Strahl
January 11, 2006

# re: Loosing a Cookie when switching from http:// to https://

I can't really set the secure flag on the cookie because when the cookie gets created it usually isn't secure. It needs to be able to switch. The Cert matches the server name exactly, yes.

Mark Berryman
January 30, 2006

# re: Loosing a Cookie when switching from http:// to https://

Any chance the path stored in the cookie differs in case from the secure URL? Cookie paths are case sensitive on the client.

Sam
February 10, 2006

# re: Loosing a Cookie when switching from http:// to https://

I have the same issue and never found solution

Rick Strahl's Web Log
October 15, 2006

# Application level Cookie Management for ASP.NET apps - Rick Strahl's Web Log

Cookie handling in applications can be repetitive and if you access and must set your cookies in many places of the application a logic change can quickly break a lot of code. Abstracting cookies into a class that contains all related logic reduces the amount of code and makes things much more maintainable.

DotNetSlackers Latest ASP.NET News
October 27, 2006

# DotNetSlackers: Loosing a Cookie when switching from http:// to https://


Eric Lawrence
November 27, 2006

# re: Loosing a Cookie when switching from http:// to https://

The newly released Fiddler2 (http://www.fiddler2.com) supports HTTPS debugging.

Sunil Warrier
December 12, 2007

# re: Loosing a Cookie when switching from http:// to https://

Hi Rick

We have the same issue, But the difference is it is not happening when it is switching HTTP and HTTS but when user comes from www. and without www. Do you think by giving / to the Application Path of cookie can solve this issue ?

HTTP and HTTPS is pointing to the same folder so we no issues with path.

Many thanks for the suggestion

Kind Regards

Sunil Warrier

Queen Elizabeth
September 16, 2008

# re: Loosing a Cookie when switching from http:// to https://

Sorry to be the English police, but I believe you meant "lose" not "loose"... unless your cookies have been sleeping around...

Mike Hurt
May 18, 2009

# re: Loosing a Cookie when switching from http:// to https://

As this is quite an old post I'm sure you've all found solutions to the cookie issue(s). But just in case...

@Sunil, for cookies to work on both http://my-domain.com and http://www.my-domain.com you need to set the cookie domain to ".mydomain.com" so that it will work cross-domain.

Mike Hurt
May 18, 2009

# re: Loosing a Cookie when switching from http:// to https://

... sorry, hit return too soon...

@Rick, looks like the issue you have/had is due to the nature of cookies themselves... secure cookies are intended only to pass across an HTTPS connection and, sensible, browsers will enforce this.

Apologies if this comment is waaaay to late :-)

Zahid Khan
March 12, 2010

# re: Loosing a Cookie when switching from http:// to https://

I have cookie issues as well while transitioning between my applications, one sitting on HTTP and the other on HTTPS. These are login cookies are created on HTTP site (which has the login) and are accessible on the HTTPS site. However during logout from the HTTP site, my logout servlet which is on the HTTPS site is not able to remove the login cookies. As a result the user remains logged in!

Incidentally, everything was working fine on my test environment where both applications were under HTTP. Any clues ???

dbl
April 06, 2010

# re: Loosing a Cookie when switching from http:// to https://

Hi,

oh, which Date was this, nevermind ...
The Problem ist not that Browsers do mistakes. The Problem is, that https and http neither are the same server nor must contain the same domain. Netscape in it's erlier versions of Navigator extended this behaviour by deciding between ports!
So it's in charge of the programmer to tell the new server the correct session id to use a shared session storage.

I will do by session. if the session has been called and it's the first time the user has requested i will forward to either http or https to set the id. Session-Surfing in a wanted manner. If it's the first time the user request and get forwarded the foreign server and the identicaly software will know through a GET Parameter that he only have to set the id an return to the server which have to be configured. Otherwise it will end up in an infinite loop.

Problems for now and for all security dependent changes in future gone ...

Nithya Kannan
April 23, 2010

# re: Loosing a Cookie when switching from http:// to https://

Hi,

Did any of you able to find the solution for losing cookie when switching between http and https.
I have the same problem.
In my application, only the login page has https(SSL). I have my cookie generated during the login process, and when the user logs in, cookie is not passed when the request changes to http.
Since i do not have SSL enabled in my test region, it did not occur to me untill i moved the code to production.
This is how i set the cookie:
CookieUtils.setCookie(httpServletRequest,httpServletResponse,"SSO",username,-1,"/");
Please share your thoughts.

Tony ZHOU
May 26, 2010

# re: Loosing a Cookie when switching from http:// to https://

I got the same problem and is going to find a solution, I worked on asp.net form authorization.

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2024