Forum OpenACS Development: Re: Adding ad_session_id_secure cookie

Collapse
Posted by Dave Bauer on
I found a problem with this

Because the system only checks either the ad_session_id or ad_session_id secure cookie, if you enter in HTTP or HTTPS
when you change the HTTP to HTTPS, to login, for example, the session_id cookie that was set in HTTP will not be read and the session_id will change.

This would be a problem for an ecommerce site where you saved items in your shoppinh cart in HTTP then were redirected to HTTPS to check out.

The only solution I can imagine is to send the session_id in the URL when switching from HTTP to HTTP or back.

Then the security handler would need a way to extract that from the URL.