Search code examples
asp.netsessioniisasp-classiciis-express

HTTPS to HTTP ASP share cookie and session on IIS Express

How to configure IIS Express like IIS 8.0 for ASP classic.

Yes when you use IIS 8.0 you have an option, "new ID on secure connection" on ASP settings page, set to false, the session is not lost between http and https

But I don't find the same option on IIS Express, and when I redirect https on http, my session is lost.

Is for https to http for encrypt login page

"https://mysite:44300/login.asp" -> "http://mysite:4540/home.asp"

Please help me.

Thanks

Solution

  • Already worked it out in the comments but for completeness

    IIS Express does not have any limits on functionality

    From ScottGu's Blog - Introducing IIS Express
    We have been working on a new flavor of IIS 7.x that is optimized for developer scenarios that we are calling “IIS Express”. We think it combines the ease of use of the ASP.NET Web Server with the full power of IIS. Specifically:

    • It’s lightweight and easy to install (less than 10Mb download and a super quick install)
    • It does not require an administrator account to run/debug applications from Visual Studio
    • It enables a full web-server feature set – including SSL, URL Rewrite, Media Support, and all other IIS 7.x modules
    • It supports and enables the same extensibility model and web.config file settings that IIS 7.x support
    • It can be installed side-by-side with the full IIS web server as well as the ASP.NET Development Server (they do not conflict at all)
    • It works on Windows XP and higher operating systems – giving you a full IIS 7.x developer feature-set on all OS platforms

    Having said that it is a bit trickier to work with because the GUI has very limited functionality. The only option available is to use the powerful Configuration Schema in-built to IIS that is also supported by IIS Express.

    You will need to add the following value to the web.config file in the root of your IIS Web application.

    <system.webServer>
   <asp>
     <session keepSessionIdSecure="false" />
   </asp>
</system.webServer>

    which is the equivalent to the GUI property New ID on Secure Connection.

    Note: This should work but if you have problems getting it to work you may find that adding it to the applicationHost.config works better. See Answer to Classic ASP session weirdness between HTTP and HTTPS