• Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

Switch from SSL to non-SSL

 
Solomon Raz
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I read the following from the blueprints website about not allowing the user to use non-SSL requests after an SSL request has been processed.

"If you are using sessions, once you switch to SSL you should never accept any further requests for that session that are non-SSL. For example, a shopping site might not use SSL until the checkout page, then it may switch to using SSL in order to accept your card number. After switching to SSL, you should stop listening to non-SSL requests for this session. The reason for this practice is that the session ID itself was non-encrypted on the earlier communications, which is not so bad when you're just doing your shopping, but once the credit card information is stored in the session, you don't want a bad guy trying to fake the purchase transaction against your credit card. This practice could be easily implemented using a filter."

I understand Sun's reasoning to not allow non-SSL after an SSL call is made.
But if I do what is recommended above, Change Itinerary process which requires the user to be logged-in (using SSL) may not be able to call Prepare Itinerary (which is a non-SSL process until we get to payment).

How are situations like this handled in the real-world?

Solomon
 
Solomon Raz
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Secondly the requirements state "All user interactions must be secured with SSL". Does it not make sense to make only all confidential transactions secure? I don't think searching for flights needs to be done via a secure channel. I see lots of unnecessary overhead with the encodings/decodings for the possibly huge list of data that may be returned from the server.

Please jive in with your thoughts.

Solomon
 
Colin Fletcher
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I do not have the requirements. I am basing my feedback on the above articles. If the requirement is to have all user interactions use SSL, that makes it pretty clear.

I think of my experience with a major airline in Canada. I have my credit card stored on my profile. When I login and establish my session, I believe the credit card information is accessable. I don't think anyone wants their sensitive information exposed.

I would hate to think I would be switched to an 'insecure' session to search for flights.

I view using SSL like an escalator. Once you get on, you are not getting off until the end.
 
Solomon Raz
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Colin Fletcher:
I do not have the requirements. I am basing my feedback on the above articles. If the requirement is to have all user interactions use SSL, that makes it pretty clear.

I think of my experience with a major airline in Canada. I have my credit card stored on my profile. When I login and establish my session, I believe the credit card information is accessable. I don't think anyone wants their sensitive information exposed.

I would hate to think I would be switched to an 'insecure' session to search for flights.

I view using SSL like an escalator. Once you get on, you are not getting off until the end.


Colin, Thanks for your feedback!
This would mean the main web page would also only be accessible via SSL. As we know users rarely enter the protocol name in the URL address...which means if they did not enter "https" the browser is gonna assume it's an http which in our case is not allowed. So,in your real-world app how did you route the http requests to https or did the user see an error from the web server stating "This page must be viewed over a secure channel" or something. I'm not sure if the web servers have capabilities to auto route http to https.

Solomon
 
Colin Fletcher
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
When you deploy a web application (according to the servlet spec) you can force the application to use SSL only. So if you type in the http address, it will forward to the https.

I believe it is user-data-constraint.
 
Solomon Raz
Greenhorn
Posts: 19
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Colin!

Solomon
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic