what might be causing "object reference not set to an instance.." on IIS with https but not while testing with normal http

Question

I've got a bill payment web application that I've got communicating with Authorize.net (AIM) and the application its self uses session variables to gather and store data for submission and then applies those same variables to store data entries in SQL. Initially the application worked fine when I compiled and tested in Visual Studio but when I threw it on the production IIS server (7.0), I get exceptions every time..."Object reference not set to an instance of an object". Now I realize that the error I'm getting on IIS is session variable related but get this..when I don't force https or type it in the address bar, it works just fine. Obviously I'll need SSL processing transactions but forcing https seems to be messing with my session variables. I'm using the URL rewrite function but to force https but I removed it and then manually went to https in the address bar but still the same problem.

Any ideas or way to fix the issue?

Testing both live an on a local IIS (Self-Signed Security Cert) I get the following...

    [NullReferenceException: Object reference not set to an instance of an object.]
   deco.mgobilling.com.controls.Confirmation.Page_Load(Object sender, EventArgs e) +47
   System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +51
   System.Web.UI.Control.OnLoad(EventArgs e) +92
   System.Web.UI.Control.LoadRecursive() +54
   System.Web.UI.Control.LoadRecursive() +145
   System.Web.UI.Control.LoadRecursive() +145
   System.Web.UI.Control.LoadRecursive() +145
   System.Web.UI.Control.LoadRecursive() +145
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +772

The page_load even calls session variables that were assigned on a previous page but seem to be null or lost when the site is under https. This is not the case however when the site is set to the normal http protocol.

Answer 1

IIS > Session State > Cookie Settings > Use URI

The issue is defiantly related to Session variables so I tried using Cookieless session IDs and was able to solve the issue this way. I applied the above setting without changing my Web.Config file but Web.Config settings are an option of course.

More on Session State here... ASP.NET Session State Overview

UPDATE

So after changing my IIS config to use cookieless (URI), i was able to fill out a form and go to another page to confirm what I had filled in. A new problem arose when I came back to the same form and input different data. When I input different data and press submit to confirm my entry, the data is just erased.

Back to the drawing board, I changed the "Cookie Settings" in IIS to "Use Device Profile" and tested again. So far it has work and with different sets of data and on different browsers. Hopefully this will finally take are of the issue.

FINAL UPDATE

Still yet we face the issue. It seems intermittent and happens in one web browser but not the next. After some painstaking troubleshooting, I figure that my sessions are being lost because I am communicating with another website as part of the process. The Sessions are kept between my web forms but as soon as the second web form initiates communication with another website, "plop", their gone. This is a payment process and it communicates with Authorize.Net. This may be a security thing on certain browsers and I can understand. Query Strings aren't an option and I didn't have time to set IIS to save session stated else ware but I've just got a feeling that it has something to do with browser behavior.

My final solution was to use the Control.FindControl method and grab input values from a previous page (or web user control in my case.). When I grab input values and assign them to local variables within the second page, all is well and I can then use those variables to fulfill my Authorize.Net POST, SQL storage, Email and so on.

I hope this can help someone if the future. I spend hours on Google trying to figure this one out.