Couldn't you keep both the HTTP and HTTPS parts within the same web site? Enable both ports 80 and ports 443 for the entire site, but on the HTTPS pages, check to make sure they are coming in on port 443 and using SSL, and redirect if the aren't. That way you'd only have one set of session info.

Thanks for the reply XOC. My problem is at the moment I am used to developing small scale web apps or standard windows vb apps. Therefore the advice given sounds very useful but I am not sure how to even start with what you suggested.

The sue of SSL has never really been part of the sites that I have attempted, just haven't had the need to use it. If you have time a more indepth explanaition on how this would work would be excellent.

Let me start with a tutorial on SSL (Secure Socket Layers):

SSL requires getting a certificate. There really are two certificates necessary to make it work, one on the client's browser and one on the server. All the major browsers come with client certificates from the major certificate authorities, which you can see by going into IE's Tools Internet Options dialog. Click on the Content tab. Then click Certificates. Then click on the Immediate Certificate Authorities.

So if you obtain a certificate issued by one of those certificate authorities on your server, then one can talk to the other using SSL. A typical server certificate issued by one of these authorities costs $400 per year.

On the other hand, if you have only a few known people who will be hitting your web site, such as in a Business to Business (B2B) web site, then you can establish your own certificate authority. After you have your own certificate authority, you can issue your own browser and server certificates. Windows NT/2000/XP Server comes with certificate authority software as a checkbox in the setup. (One warning--sessions must be turned on for the certificate authority web site for this software to work--I spent a long time tracking this down when I had it turned off.)

Anyway, once you have certificates on both the browser and server, then they can talk using SSL. Normal web traffic (http) uses port 80 by default. Normal SSL traffic (https) uses port 443 by default. A web site can be configured to issue pages using both protocols (http and https). If it uses https, then the traffic is encrypted, sent over the wire, then decrypted on the other side. Whereas http traffic is not encrypted.

To summarize, if a page is requested with the url [domain.com...] then the traffic is sent to port 80 unencrypted. On the other hand, if a page is requested with the url [domain.com...] then the traffic is sent to port 443 encrypted.

A single web site can spit out pages using both protocols. You specify SSL port info in the IIS manager dialogs. Since both http and https are part of the same web site, then both share the same session info. If you want to restrict certain pages to a particular protocol, then you can either write code inside the page to reject it if it isn't SSL. Or you can specify in the IIS manager dialogs (in the Directory Security tab) that a page should only be served via SSL.

Because both http and https are part of the same web site, they should share session info. So your cart info will be maintained across the web site.

[edited by: Xoc at 9:17 am (utc) on Aug. 19, 2002]

Thanks for that. It now makes sense, and just in time.

Thanks again for your help