ASP Session Lost When Redirecting From Http Page To Secure Https Page

Why Are ASP Sessions Lost When Redirecting from HTTP to HTTPS in IIS?

In modern versions of IIS (IIS 10 on Windows Server 2016–2022), classic ASP applications may lose session variables when redirecting from a non-secure http:// page to a secure https:// page. This happens because IIS may generate a new session ID when switching protocols unless the session behaviour is configured correctly.

Cause of the Issue

By default, IIS may assign a new ASP session ID when a secure connection is established. This results in session data being lost during the redirect from HTTP to HTTPS.

How to Fix the Session Loss in IIS

To ensure ASP sessions persist across HTTP → HTTPS redirects, update the session settings in IIS Manager:

  • Open IIS Manager.
  • Select your website from the Connections panel.
  • Double-click the ASP feature in the Features View.
  • Expand Services → Session Properties.
  • Set Session State to True.
  • Set New ID on Secure Connection to False.
  • Click Apply in the Actions panel.

After applying these settings, IIS will maintain the same ASP session ID across both HTTP and HTTPS, preventing session data from being lost during the redirect.

Learn More About Fast2host

Fast2host has been providing reliable UK hosting, domains, cloud servers and business email since 2002. Find out more about who we are:

About Fast2host →
Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 7745

Need more information or have a question ?