What is common practice for coding web applications where part of the site has to be secured (e.g. checkout section) and part not necessarily, let’s say homepage? As far as I know sharing sessions in between HTTP and HTTPS parts of the site is not easily possible (or is it?). What would be common approach if I wanted to display on HTTP page like homepage, shopping cart data (items) that users ordered on HTTPS pages? How those two parts of the site would communicate if necessary? Also isn’t it security flaw in popular shopping carts as it seems that many of these have only checkout pages secured (SSL) and the rest not?
I’m using PHP if it makes any difference.
What is common practice for coding web applications where part of the site has
Share
The simplest answer is to have all links to your “secure” pages link to https://. Obviously this can be somewhat of a nightmare depending on the site.
Another alternative is to set up URL rewrite rules to automatically direct secure pages to https:// if trying to access them via http://
Check out mod_rewrite for Apache if you are not familiar with the concept. Depending on what web server you are using there are other options available to achieve the same functionality, but that should give you an idea of what your options are. I assume since you’re using PHP that you’re using Apache, but could not be the case?
I would say that is probably the most common approach. If all of the secure pages reside in a given directory, that makes it even easier as you can write rules to say that everything in that directory must be requested via https://, otherwise http:// is suitable.