I was told by an MS engineer that every time the browser connects to the server the session variables are sent to the server from the browser (well, actually references to the session variables) and that the way to prevent session hijacking is to force an SSL connection at all times.
So, I am using this code from MS to force SSL connections:
But it seems to me that this might still be insecure since the browser first makes a non-SSL connection to the server before it's redirected to make an SSL connection.
Am I correct?
When do the session variables actually get sent?
So, I am using this code from MS to force SSL connections:
Code:
If Request.ServerVariables("SERVER_PORT") = 80 Then
Dim strSecureURL
strSecureURL = "[URL unfurl="true"]https://"[/URL]
strSecureURL = strSecureURL & Request.ServerVariables("SERVER_NAME")
strSecureURL = strSecureURL & Request.ServerVariables("URL")
Response.Redirect strSecureURL
End If
'Assumes the following conditions:
'- IIS is running on standard ports:
'- HTTP = Port 80
'- HTTPS = Port 443
'- IIS has a valid SSL certificate installed.
'- The Web site or virtual server that is used does not use HTTP/1.1 host headers for name resolution.But it seems to me that this might still be insecure since the browser first makes a non-SSL connection to the server before it's redirected to make an SSL connection.
Am I correct?
When do the session variables actually get sent?
![[thumbsup2]](/data/assets/smilies/thumbsup2.gif "[thumbsup2] [thumbsup2]")
DreX