Recently I installed a certificate on the website I’m working on. I’ve made as much of the site as possible work with HTTP, but after you log in, it has to remain in HTTPS to prevent session hi-jacking, doesn’t it?
Unfortunately, this causes some problems with Google Maps; I get warnings in IE saying “this page contains insecure content”. I don’t think we can afford Google Maps Premier right now to get their secure service.
It’s sort of an auction site so it’s fairly important that people don’t get charged for things they didn’t purchase because some hacker got into their account. All payments are done through PayPal though, so I’m not saving any sort of credit card info, but I am keeping personal contact information. Fraudulent charges could be reversed fairly easily if it ever came to that.
What do you guys suggest I do? Should I take the bulk of the site off HTTPS and just secure certain pages like where ever you enter your password, and that’s it? That’s what our competition seems to do.
I would take the bulk of the site off HTTPS with some exceptions of course:
To deal with the session hijacking issue, I would add another layer of authentication where you prompt them for their username and password again at checkout or whenever they try to view/update account information – basicly whenever you make a transition from http to https.