NYCPHP Meetup

[tedd]

At 2:24 PM -0400 8/10/08, Michael B Allen wrote:
>Can someone share their best practices regarding transitioning between
>HTTP and HTTPS protected resources?
>
>For example, consider a page with several tabs - one of which is
>linked to a shopping cart. The shopping cart should be protected with
>HTTPS whereas the other tabs should not.
>
>It's not hard to make the shopping cart link https:// but once at the
>shopping cart page, all links back to non-SSL protected resources
>would need to be emitted (or rewritten) as full non-HTTPS URLs. And
>that's not really desirable anyway since many browsers can flag such
>pages as non-fully protected.
>
>One relatively simple solution is to maintain a list of protected
>resources and then redirect the client to HTTPS if the target is to be
>protected and the client is not already under HTTPS. If the route does
>not match and the client is under HTTPS then they are redirected back.
>The downside is that the redirection is not terribly efficient.
>
>How do you handle this scenario?
>
>Mike

Mike:

The way I do it, once you go https, you don't go back until the 
transaction is approved, denied, or canceled. In fact, when it's 
finished all data (i.e., session, post, get, whatever) is expunged 
except for the data that's legal to keep (i.e., the order), which is 
recorded in the dB. No data leaves.

That's a little hard on a shopping cart when people want to add stuff 
to their order, but if that's the case, then cookie their order 
before you go to https and reload the cookie when you leave.

Cheers,

tedd

-- 
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com