Guest Posted December 23, 2003 Share Posted December 23, 2003 I'm not sure where to put this. I searched on quite a few keywords and didnt find anything. And it may be no big deal. I use MS2 and it works fine. Please note: I do get the lock during checkout. OSC is definitely using SSL. This is not a matter of not getting the browser to show a lock. But, looking at the cookies, the browser tells me (I use Mozilla and Firebird for browsers so the tools are pretty good) that cookies are not from a secure server. The Mozilla documentation says this is because the cookie itself was not transmitted using SSL even though https is the protocol. My guess is apache sent the cookie via http. I have no clear idea why this would be. Now, is it a worry? I dont think so because a man-in-the-middle attack isnt likely. Sure, a man-in-the-middle could intercept the cookie, get the session ID, and use it to decrypt the traffic between customer's browser and the SSL server. Doing this in real time doesnt seem likely. It might be more useful for later on decrypting a recording of a session. Still, I'd like to know what to do to force the cookie to be sent via https. Any ideas? I'm just starting to research this and I figured folks may know the answer. Link to comment Share on other sites More sharing options...
Guest Posted December 24, 2003 Share Posted December 24, 2003 This function all depends upon how you access your SSL certificate. If you access your certificate through another site other than your own, ie your normal, http://www.yourdomain.com and then you access SSL by https://sslserver.com/~yourdomain then you will indeed need to take steps to secure your cookie data. If on the other hand, when using an ssl and you access it vai https://www.yourdomain.com those steps are not necessary. There are a number of tutorials out there on SSL and what you need to do. Link to comment Share on other sites More sharing options...
jello1 Posted December 24, 2003 Share Posted December 24, 2003 also make sure in your config file that you https cookie domain points to the correct domain.. i.e https://sslserver.com/~yourdomain or https:www.yourdomain.com <span style='font-family:Courier'>If you can't fix it Perl it!!!...</span> ****************************** Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.