tags:

views:

63

answers:

3
Q: 

How to communicate/share a session between pages over HTTP and HTTPS

What is common practice for coding web applications where part of the site has to be secured (e.g. checkout section) and part not necessarily, let's say homepage? As far as I know sharing sessions in between HTTP and HTTPS parts of the site is not easily possible (or is it?). What would be common approach if I wanted to display on HTTP page like homepage, shopping cart data (items) that users ordered on HTTPS pages? How those two parts of the site would communicate if necessary? Also isn't it security flaw in popular shopping carts as it seems that many of these have only checkout pages secured (SSL) and the rest not? I'm using PHP if it makes any difference.

A: 

Its pretty common practice to use cookies to store cart data throughout a site. Security isn't an issue because you only care about your credit card data going over the wire. The list of things I want to buy isn't particularly sensitive.

DancesWithBamboo  2010-05-11 23:38:59
A: 

The simplest answer is to have all links to your "secure" pages link to https://. Obviously this can be somewhat of a nightmare depending on the site.

Another alternative is to set up URL rewrite rules to automatically direct secure pages to https:// if trying to access them via http://

Check out mod_rewrite for Apache if you are not familiar with the concept. Depending on what web server you are using there are other options available to achieve the same functionality, but that should give you an idea of what your options are. I assume since you're using PHP that you're using Apache, but could not be the case?

I would say that is probably the most common approach. If all of the secure pages reside in a given directory, that makes it even easier as you can write rules to say that everything in that directory must be requested via https://, otherwise http:// is suitable.

jaywon  2010-05-11 23:43:12
yes, shared hosting on apache
spirytus  2010-05-11 23:49:12
A: 

I can tell you what I did for an ecommerce site I created from scratch. His whole site is HTTP, which includes checking out with a check (ie they fill in their info, an invoice is generated and a check is snail mailed to the seller). But, the credit card processing is done on Paypal's side, which is HTTPS. But, in order to get the cart data to Paypal I used hidden post elements, and Paypal did the rest.

Not the greatest system, but it works.

Nathan Adams  2010-05-12 14:03:18

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.