• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

forcing https on some pages only

 
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi all,

I want to be sure that certain pages are launched using https.
A view cart page for example.
On that page I want to maintain the menu to jump to others pages on the site.
The menu is an include and uses relative URL's.

I tried placing code at the top of those non-secure pages to check the scheme (http OR https) and use a sendredirect to the http absolute url but i get an error that says

"redirect limit exceeded for this page"..

Any ideas??

Ideally I'd like 2 small include jsp's that could ensure either https or http. That way when I write a page I can define it's security level.


Note: This is for an image gallery so https is not really suitable for the "normal" pages as it slows down the image loading.
Check out the site to see what I mean:
PrintFlash International Digital Photo Gallery

Thanks in advance for your help.
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Two Things:

1.)
"redirect limit exceeded for this page"..
Usually means you have a recursive redirect going on.
Either page 'A' is redirecting to page 'B' and 'B' back to 'A'
Or
Page 'A' is redirecting to itself.


2.)
If you are relying on the JSPSessionId to manage your cart (or whatever it is you're doing), you probably want to avoid bouncing between secure and insecure modes as you can't carry the session from one to another.
Also, a lot of browers are set to generate popups letting the user know that they are moving from a secure to an inscure site, and vic-versa. This can annoy your end users.
 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

If you are relying on the JSPSessionId to manage your cart (or whatever it is you're doing), you probably want to avoid bouncing between secure and insecure modes as you can't carry the session from one to another.
Also, a lot of browers are set to generate popups letting the user know that they are moving from a secure to an inscure site, and vic-versa. This can annoy your end users.



Absolutely. I agree. But I can't ask them to input sensitive data on an insecure page, right?

Any suggestions would be welcome.

Thanks,
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Terence Doyle:


Absolutely. I agree. But I can't ask them to input sensitive data on an insecure page, right?



No, you don't want to do that.
How you handle this depends on what your site is doing.

In my case, almost all the pages in the app have sensitive data so the only pages that isn't under ssl are the ones that gets you to the login. From then on, they are under SSL.

For an ecommerce site, you may want to write the cart to the database when they click on the "Checkout" button and THEN redirect them to the secure checkout section with a querystring variable to identify the cart in the database. Or something like that.

I suppose you could come up with a solution that involves your own cookies.

Again, it depends on the flow of your site.

-Ben
 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

For an ecommerce site, you may want to write the cart to the database when they click on the "Checkout" button and THEN redirect them to the secure checkout section with a querystring variable to identify the cart in the database. Or something like that.



Yes. It's an e-commerce site. I'm not actually writing the cart to DB until the fill in all the data. This then "creates" an order in the DB. As i know cart abandonment is all too frequent I didn't want to be inserting orders unless I had it confirmed... I'll have to think about that one.

Thanks for the suggestions and the prompt response

Bye
 
If a regular clown is funny, then a larger clown would be funnier. Math. Verified by this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic