Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Help! SSL, osCsid, cookies, sessions, HTTP and HTTPS

birdflybluesky

By birdflybluesky
in General Support

Recommended Posts

birdflybluesky

birdflybluesky

Posted
Posted

I've been checking through these forums for months, but I am still a little confused about which pages on my site need to be sent by SSL. And when.

 

What got me thinking about this is, I have a 'custom' page that I made that includes application_top.php so that I can have 'login/logout', 'view_cart', and 'check_out' menu items visible on that page. When someone is logged in and navigates to and from this custom page from a regular oscommerce page, all the necessary information is available and the menus do the right thing (data is saved on the server in the session file, accessed thru the session ID stored in the osCsid cookie, I think) I am not sure when this 'custom' page needs to be HTTP and when it needs to be HTTPS. There is no sensitive information or cc details on the page itself, it just has some product information.

 

So when a customer browses my site when NOT logged in, there is no important info passing back and forth, so as far as I understand there is no need to send this 'custom' page by HTTPS.

 

When the customer creates an account or logs in, then pages with sensitive information such as login, create_account, account_* and checkout_* pages need to be SSL, while product pages and other 'custom' pages that I made can still be served as HTTP, is that right?

 

I'm not sure if all that is correct so far, but presuming it is, let's run blindly onwards and consider cookies.

 

Are cookies encoded using SSL?

Even when not logged in, isn't there a session created when someone first accesses the site? Isn't there an osCsid cookie that holds the session key, and that cookie is sent back to my site every time the customer requests another page from the same domain? So even when a customer is not logged in, if the cookie is not encoded using SSL, someone could use that cookie to get the session key and break into the session?

 

So that would mean that, once a session has started, every page on my site should be sent at all times using SSL.

 

I am sure that I haven't got it quite right, but I feel I'm almost there. Please, someone who knows more about this than I do and has passed thru the clouds of mental anguish and suffering, share your wisdom!

Jack_mcs

Jack_mcs

Posted
Posted

The code determines what pages need to have ssl enabled. There is no need to be concerned about it. Cookies should not be used. They will cause a loss of customers and offer no advantage over the session ID's.

 

Jack

Support Links:

For Hire: Contact me for anything you need help with for your shop: upgrading, hosting, repairs, code written, etc.

All of My Addons

Get the latest versions of my addons

Recommended SEO Addons

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...