I'm trying to setup a site (based on Retail) with a non-secure host name of 
nationalrecoverystore.com and a secure host name of rapidexposure.com. (With
 an application path of recovery).  I can go through the site and place item
s into the basket and go th
e the summary page.  On clicking checkout on the summary page the page tries
 to go to rapidexposure.com/recovery/crdcard.asp (https) as I believe it sho
uld but then it is redirected to the basket. It appears that it has lost the
 auth cookie when moving fr
om non-secure to secure.  Is there a detailed guide/docs for this situation?
 Any help is much appreciated.

Thank you,
--Geri

[ Post a follow-up to this message ]

Your problem is rooted in the browser rules for cookies. A browser will not
send a cookie to a domain other than the one it was created for. In your
example, the cookie belongs to domain nationalrecoverystore.com and you are
expecting it to be transmitted to rapidexposure.com, this violates the
browser rules and the cookie will not be sent. As an alternative, you could
supply the cookie code to the rapidexposure.com domain in the URL redirect
query string, and have the page at rapidexposure.com write out the cookie
from that domain.

Austin Skyles

This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
© 2002 Microsoft Corporation. All rights reserved.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Get Secure!  For more info visit http://www.microsoft.com/security.
Please reply to the newsgroups only.  Thanks


--------------------
Thread-Topic: Lost cookie from non-secure to secure host
thread-index: AcRjuUMAiJ/grD4eQ/2LGP4JHlbC1w==
X-WBNR-Posting-Host: 68.118.206.6
From: "examnotes"
<Rapidexposure@discussions.microsoft.com>
Subject: Lost cookie from non-secure to secure host
Date: Tue, 6 Jul 2004 17:28:01 -0700
Lines: 4
Message-ID: <C3B8E874-ED38-43CB-88BC-44A5161B7A05@microsoft.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="Utf-8"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
Content-Class: urn:content-classes:message
Importance: normal
Priority: normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Newsgroups: microsoft.public.commerceserver.general
NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.commerceserver.general:14199
X-Tomcat-NG: microsoft.public.commerceserver.general

I'm trying to setup a site (based on Retail) with a non-secure host name of
nationalrecoverystore.com and a secure host name of rapidexposure.com.
(With an application path of recovery).  I can go through the site and
place items into the basket and go the the summary page.  On clicking
checkout on the summary page the page tries to go to
rapidexposure.com/recovery/crdcard.asp (https) as I believe it should but
then it is redirected to the basket. It appears that it has lost the auth
cookie when moving from non-secure to secure.  Is there a detailed
guide/docs for this situation? Any help is much appreciated.

Thank you,
--Geri

[ Post a follow-up to this message ]

Thanks, I thought perhaps there was some magic going on under the covers in 
Commerce Server. From your response I have to assume that unless I write spe
cial code to enable the "pass" from one domain to another (via URL) my only 
options are to stay in the
same base domain (ie., nationalrecoverystore.com --> secure.nationalrecovery
store.com) -- is this true?  thanks again for your response.
--Geri


"Austin Skyles [MSFT]" wrote:

> Your problem is rooted in the browser rules for cookies. A browser will no
t
> send a cookie to a domain other than the one it was created for. In your
> example, the cookie belongs to domain nationalrecoverystore.com and you ar
e
> expecting it to be transmitted to rapidexposure.com, this violates the
> browser rules and the cookie will not be sent. As an alternative, you coul
d
> supply the cookie code to the rapidexposure.com domain in the URL redirect
> query string, and have the page at rapidexposure.com write out the cookie
> from that domain.
>
> Austin Skyles
>
> This posting is provided "AS IS" with no warranties, and confers no rights
.
> You assume all risk for your use.
> © 2002 Microsoft Corporation. All rights reserved.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> Get Secure!  For more info visit http://www.microsoft.com/security.
> Please reply to the newsgroups only.  Thanks
>
>
> --------------------
> Thread-Topic: Lost cookie from non-secure to secure host
> thread-index: AcRjuUMAiJ/grD4eQ/2LGP4JHlbC1w==
> X-WBNR-Posting-Host: 68.118.206.6
> From: "examnotes"
> <Rapidexposure@discussions.microsoft.com>
> Subject: Lost cookie from non-secure to secure host
> Date: Tue, 6 Jul 2004 17:28:01 -0700
> Lines: 4
> Message-ID: <C3B8E874-ED38-43CB-88BC-44A5161B7A05@microsoft.com>
> MIME-Version: 1.0
> Content-Type: text/plain;
> 	charset="Utf-8"
> Content-Transfer-Encoding: 7bit
> X-Newsreader: Microsoft CDO for Windows 2000
> Content-Class: urn:content-classes:message
> Importance: normal
> Priority: normal
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
> Newsgroups: microsoft.public.commerceserver.general
> NNTP-Posting-Host: TK2MSFTNGXA03.phx.gbl 127.0.0.1
> Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl
> Xref: cpmsftngxa06.phx.gbl microsoft.public.commerceserver.general:14199
> X-Tomcat-NG: microsoft.public.commerceserver.general
>
> I'm trying to setup a site (based on Retail) with a non-secure host name o
f
> nationalrecoverystore.com and a secure host name of rapidexposure.com.
> (With an application path of recovery).  I can go through the site and
> place items into the basket and go the the summary page.  On clicking
> checkout on the summary page the page tries to go to
> rapidexposure.com/recovery/crdcard.asp (https) as I believe it should but
> then it is redirected to the basket. It appears that it has lost the auth
> cookie when moving from non-secure to secure.  Is there a detailed
> guide/docs for this situation? Any help is much appreciated.
>
> Thank you,
> --Geri
>

[ Post a follow-up to this message ]