Going from http to https, what issues do I have to handle?

Question

My site has https sections (ssl), and others are regular http (not using ssl).

Are there any issues going from ssl to non-ssl pages?

Some times that user will click on a link, which will be ssl, then click on another link that leaves https to http based urls.

I understand that when on a ssl page, all images have to be also served using https.

What other issues do I have to handle?

I recall that a popup displays sometimes telling the user about a security issue, like some content isn't secure, I am guessing that is when you are under https and the page is loading images that are not under https.

Answer 1

If you are using sessions on your site you will lose any session information when switching between ssl pages and non-ssl pages.

Answer 2

Mixing is generally a bad idea just because it tends to detract from the user experience and coding around the differences makes the application that much harder to maintain. If you need SSL for even a little of the site, I'd recommend putting it all behind SSL. Some companies use a hybrid for the public "low end" site and SSL for the actual customer experience.

As Miyagi mentioned, session sometimes gets goofy, but it's not impossible if you keep the session stored in an external location. These means all session objects must be serializable, compact, etc, and it also means you'll need to manage the sessionid in a common browser element (cookie is usually the safest).

Answer 3

There is a good article on The Codeproject about this theme. The author encapsulates the switching by code and configuration. Not so long ago I tried to go this way - and stopped going it. There were some handling problems. But the main reason for stopping was the bad user experience mentioned by Joel before.