On Sun, Apr 10, 2011 at 12:55 PM, Anthony <asale...@tpg.com.au> wrote:
> Thanks David...i have installed ssl cert etc....most ecommerce system only > use ssl for login and checkout..so was looking for technique to do this... > > > > I don't understand the rationale for falling back to non-https mode. IMO, it's bad practice and increases risk to the user - see OWASP Top Ten 2010<https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project>risks A3, A6 and A9. Like David says, the session/basket can be hijacked if someone gets the cookie - that's all they need after the authentication process has completed. If you don't understand how this can happen, you best do some reading on the stateless nature of the HTTP protocol and how cookies work. As previously mentioned, you can protect the session cookie by setting the * secure* attribute, however, this also means they'll lose their basket upon entering http mode. Roll on HTTP Strict Transport Security so a site owner/developer can, in theory and in a user-friendly way, turn on TLS at the server and ensure the session remains secure (or fails altogether). -- *Richard Carde* E: rich...@carde.id.au M: +44 7956 356 226
