Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

cookies enabled on a shared ssl server.


goring_gap

Recommended Posts

from http://wiki.oscommerce.com/proposalSecurityAndPrivacy

 

As the cookie is set on the top level domain of the web server, the secured https server must also exist on the same domain.

 

For example, the force cookie usage implementation will work for the following servers:

 

http://www.domain-one.com

https://www.domain-one.com, or https://ssl.domain-one.com

 

but not for the following servers:

 

http://www.domain-one.com

https://ssl.hosting_provider.com/domain-one/

 

The ssl.hosting_provider.com example is using a shared SSL certificate used for secure transactions. This can easily be fixed to work with the force cookie usage implementation by purchasing and installing a dedicated SSL certificate for the domain-one.com domain.

 

It is possible to bypass the cookie check by appending the session ID to the url when the client moves from HTTP to HTTPS state, or from HTTPS to HTTP state; however the main goal this implementation is trying to achieve is to not place the session ID on the url at all which would occur if the clients browser had cookies disabled.

 

 

A simple case of this implementation failing where different HTTP and HTTPS domains are used is when the client first visits the online store (cookie is set for HTTP domain) and clicks on the secure Login link (cookie is set for the HTTPS domain).

 

As cookies cannot be read on the same request made when they are set for the first time, the Login page cannot access the HTTPS domain cookie as it has just been set, and it can also not read the HTTP domain cookie as it is another domain.

 

Even if the clients browser has cookies enabled, the cookie cannot be read and the client will be directed to the friendly cookies-must-be-enabled page.

 

I am currently using a shared SSL server, hence my interest in this subject. In particular:

 

 

Would it be fesable to write two cookies at the same time (When one is updated, also do the other) ? One for www.domain-one.com and one for ssl.hosting_provider.com/domain-one/. If so, where should I start?

 

cheers

Simon

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...