I have a site that has a mix of http and https pages. Under the root of the site, one folder has all the http pages and another has all the https pages. Login is over https and sends the user to the other pages. When a session expires the forms authentication redirects to the Login page but the browser uses http and the user gets a 403 error.
Is there any way to override the session timeout to send it to https?
one way is to configure IIS to redirect http traffic to https
http://support.microsoft.com/kb/839357
one thing to consider with mixed mode like that:
there is a common attack on SSL pages, which is, making a http request (to https resource) in order to obtain the un-encrypted session cookie. This is why you want to configure your session cookie to encrypted only (would not be sent over http). I am guessing that your http and https pages share session, which means you can't set this setting, making your site vulnerable to this attack. but it's good to be aware of this. http://anubhavg.wordpress.com/2008/02/05/how-to-mark-session-cookie-secure/
another article you may find helpful http://www.west-wind.com/Weblog/posts/4057.aspx