Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Got The Lock, But Session Not Secure


Guest

Recommended Posts

I'm not sure where to put this. I searched on quite a few keywords and didnt find anything.

 

And it may be no big deal. I use MS2 and it works fine.

 

Please note: I do get the lock during checkout. OSC is definitely using SSL. This is not a matter of not getting the browser to show a lock.

 

But, looking at the cookies, the browser tells me (I use Mozilla and Firebird for browsers so the tools are pretty good) that cookies are not from a secure server. The Mozilla documentation says this is because the cookie itself was not transmitted using SSL even though https is the protocol. My guess is apache sent the cookie via http. I have no clear idea why this would be.

 

Now, is it a worry? I dont think so because a man-in-the-middle attack isnt likely. Sure, a man-in-the-middle could intercept the cookie, get the session ID, and use it to decrypt the traffic between customer's browser and the SSL server. Doing this in real time doesnt seem likely. It might be more useful for later on decrypting a recording of a session.

 

Still, I'd like to know what to do to force the cookie to be sent via https.

 

Any ideas? I'm just starting to research this and I figured folks may know the answer.

Link to comment
Share on other sites

This function all depends upon how you access your SSL certificate. If you access your certificate through another site other than your own, ie your normal, http://www.yourdomain.com and then you access SSL by https://sslserver.com/~yourdomain then you will indeed need to take steps to secure your cookie data. If on the other hand, when using an ssl and you access it vai https://www.yourdomain.com those steps are not necessary. There are a number of tutorials out there on SSL and what you need to do.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...