I'm working on a website that uses a non-secured asp.net session cookie. The session is shared between http and https. We want to use different sessions for http and https (because of security reasons).
Is this configurable in ASP.NET, the httpCookies config element in system.web isn't specific enough. I'd rather not programatically build this.
If it's not possible, what approach should I take?
I would setup the https files in a folder called "Secure" as a sub-application of the http app in IIS. Right click on My computer (or Computer in Windows Server 2008) and click on "Manage". Expand Services, then Internet Information Service, then Websites. Then, expand your website and right click on the "Secure" folder that you just created. On the default tab, click Create Application. Anytime that you have a switch to a https page, make sure that you are using "https://www.yourdomain.com/Secure/" on the front of the url. I would just use a Configuration Setting in web.config to set that url string as a programmatically accessible value. Then, your https sub-application will set you a new session cookie as it is a separate application.