lifeliberty Posted March 26, 2003 Share Posted March 26, 2003 Greetings, I have Open SSL set up on my site for the catalog homepage... How do I keep the entire users' sessions secure (i.e., how do I change all the links within the catalog from http to https)? Many, many thanks in advance! Link to comment Share on other sites More sharing options...
Ajeh Posted March 27, 2003 Share Posted March 27, 2003 Note: if you do this ... the whole catalog will slow down a considerable amount. Is there a reason you need it all to be SSL? Change the /includes/configure.php to use your secure site for both settings rather than just one setting Link to comment Share on other sites More sharing options...
mattice Posted March 27, 2003 Share Posted March 27, 2003 Note: if you do this ... the whole catalog will slow down a considerable amount. Not only your catalog, the complete server as it has to number crunch EVERYTHING, images, pages, the lot. That is an 'expensive' process... So any other service / site running on that server will be significantly slower (assuming you have some traffic going on on the SSL site) Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
TB Posted March 27, 2003 Share Posted March 27, 2003 Is the current method of changing SSL states secure? When a client logs in, and is then taken from SSL to Non-SSL, are we only in SSL to encrypt the password? If using the AutoLogin contribution, is this any more or less secure? Does it also send it's password through SSL when you return to the site? What about the osc_id? Once you've logged in, and are transferred back to the Non-SSL site, your osc_id would be getting transmitted unecrypted, even with the updated CVS and ForceCookies option, this session information would still be getting passed to the server... is this secure considering the efforts made to remove this information from the address box? Does there need to be an options like. HTTP - Guests HTTPS - Secure HTTPS or HTTP - Logged in Member (Admin option as to which one to use) Cheers, Tony "The price of success is perseverance. The price of failure comes much cheaper." Link to comment Share on other sites More sharing options...
M@rcel Posted March 27, 2003 Share Posted March 27, 2003 Is the current method of changing SSL states secure? You can always put the entire store in ssl-mode. Simply set HTTP_SERVER and HTTPS_SERVER both to the ssl-host (in catalog/includes/configure.php). If using the AutoLogin contribution, is this any more or less secure? Does it also send it's password through SSL when you return to the site? If ssl is enabled, the autologon contribution will establish a ssl-link for password transfer upon return to the store. Furthermore, the password is md5-encrypted stored on the client and transmitted to the host. HTH M@rcel Greetings from Marcel |Current version|Documentation|Contributions| Link to comment Share on other sites More sharing options...
TB Posted March 27, 2003 Share Posted March 27, 2003 Thanks for the AutoLogin info... Is the current method of changing SSL states secure? You can always put the entire store in ssl-mode. Simply set HTTP_SERVER and HTTPS_SERVER both to the ssl-host (in catalog/includes/configure.php). This is what we're trying to avoid though... since it loads up the server and client resources. I'm just trying ascertain if the current way of switching between SSL and NON-SSL is secure. Cheers, Tony "The price of success is perseverance. The price of failure comes much cheaper." Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.