views:

23

answers:

1

Greetings, everyone:

Firstly, sorry that my Flow description is long winded, but I think it might help with describing the problem.

Background:

Building asp.C# shopping app that is using a hosted payment page to process payments (using posting of data to a hosted payment page). SSL certificate is signed and installed.

Flow:

Prelim) (HTTPS) Users authenticate using asp Login control

1) Users add items to cart.

2) (HTTPS)Users go to checkout page.

3) Users finalize their order, then click pay now after agreeing to T&C.

4) Server gets cart data (from MSSQL2005) and sets a transaction cookie (expiry set to 20 mins).

5) (HTTPS) Server Response.Redirects to an html page (in the same folder as the login protected pages).

6) Html page reads transaction cookie data and generates form fields.

7) (HTTPS) Html page posts data to hosted payment page (php).

8) User enters payment info and clicks pay now.

9) (HTTPS) hosted payment page posts info back to a .aspx page that checks if payment OK.

10a) If payment !OK, redirects to a declined page.

10b) (HTTPS) If payment OK, sets a verification cookie (expiry set to 20 mins). Then redirects to another html page.

11) Html page reads cookie data and generates form fields.

12) (HTTPS) Html page posts data to hosted verification page (php).

13) Verification page verifies (of course), if transaction ok.

14) (HTTPS) verification page posts data to a .aspx page that checks if verification OK.

15) If verification OK, process orders and do receipt stuff.

Issue:

This control flow was tested on an unsigned dev environment. SSL was being enforced, if needed on the unsigned SSL certificate. So we'd get prompts that certificate may be bad, but the control flow worked seamlessly.

However, now live with a signed SSL certificate, going from step 5 to 6, we are encountering a situation where some users (not duplicated every time, but verified that it does occur) when they click pay now and are redirected to the html page, they are forced back to the ~/login.aspx page (as if they were logged out).

Things to note:

a) The session did not time out.

b) The browsers have cookies and javascript enabled.

c) I can process the entire flow seamlessly on the same machine with other accounts, and occasionally, the same account.

So, basically, I'm stumped... Is this a viewstate error? A login control bug that won't let me redirect to an html page because it is now using a real SSL? Anyone have any experience with this kind of deal? I'm at a loss for solutions at this point.

Any help would be greatly appreciated. Kind Regards,

jra

A: 
It's just that if you let your authentication cookie out on plain HTTP at any time during the flow, you lose the security. Secure cookies are meant to protect against this, and I'm just wondering if there might be a change in configuration in that area. – Bruno Sep 10 at 14:36

Seems this problem has been resolved. Thanks again for your assistance, Bruno!

MrFurious