I have two ASP.Net applications that are located on two different folders on my server:
/Foo <is a standard insecure application/Secure <is a standalone application that requires SSL over IIS
The problem is that by default, the ASP.NET_SessionId cookie ASP.NET_SessionId specified in the domain and is shared between two applications in different directories. I need the session cookie to be different, because I cannot allow the captured cookie on /Foo to access the /Secure application.
Ideally, I would like each application cookie to be limited by the cookie Path property. There seems to be no way to do this in .Net out of the box.
As an added headache, even if I write special code to set the path to the cookie, I'm afraid that some browsers are case sensitive and will not use the same cookie for /Foo and /Foo , which, depending on which how links are built can lead to multiple sessions in one application.
Has anyone encountered and overcome this problem?
Chad gilbert
source share