This week's book giveaway is in the Jython/Python forum.
We're giving away four copies of Murach's Python Programming and have Michael Urban and Joel Murach on-line!
See this thread for details.
Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

forcing https on some pages only  RSS feed

 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I want to be sure that certain pages are launched using https.
A view cart page for example.
On that page I want to maintain the menu to jump to others pages on the site.
The menu is an include and uses relative URL's.

I tried placing code at the top of those non-secure pages to check the scheme (http OR https) and use a sendredirect to the http absolute url but i get an error that says

"redirect limit exceeded for this page"..

Any ideas??

Ideally I'd like 2 small include jsp's that could ensure either https or http. That way when I write a page I can define it's security level.


Note: This is for an image gallery so https is not really suitable for the "normal" pages as it slows down the image loading.
Check out the site to see what I mean:
PrintFlash International Digital Photo Gallery

Thanks in advance for your help.
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Two Things:

1.)
"redirect limit exceeded for this page"..
Usually means you have a recursive redirect going on.
Either page 'A' is redirecting to page 'B' and 'B' back to 'A'
Or
Page 'A' is redirecting to itself.


2.)
If you are relying on the JSPSessionId to manage your cart (or whatever it is you're doing), you probably want to avoid bouncing between secure and insecure modes as you can't carry the session from one to another.
Also, a lot of browers are set to generate popups letting the user know that they are moving from a secure to an inscure site, and vic-versa. This can annoy your end users.
 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
If you are relying on the JSPSessionId to manage your cart (or whatever it is you're doing), you probably want to avoid bouncing between secure and insecure modes as you can't carry the session from one to another.
Also, a lot of browers are set to generate popups letting the user know that they are moving from a secure to an inscure site, and vic-versa. This can annoy your end users.


Absolutely. I agree. But I can't ask them to input sensitive data on an insecure page, right?

Any suggestions would be welcome.

Thanks,
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser Redhat VI Editor
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Originally posted by Terence Doyle:


Absolutely. I agree. But I can't ask them to input sensitive data on an insecure page, right?


No, you don't want to do that.
How you handle this depends on what your site is doing.

In my case, almost all the pages in the app have sensitive data so the only pages that isn't under ssl are the ones that gets you to the login. From then on, they are under SSL.

For an ecommerce site, you may want to write the cart to the database when they click on the "Checkout" button and THEN redirect them to the secure checkout section with a querystring variable to identify the cart in the database. Or something like that.

I suppose you could come up with a solution that involves your own cookies.

Again, it depends on the flow of your site.

-Ben
 
Terence Doyle
Ranch Hand
Posts: 328
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
For an ecommerce site, you may want to write the cart to the database when they click on the "Checkout" button and THEN redirect them to the secure checkout section with a querystring variable to identify the cart in the database. Or something like that.


Yes. It's an e-commerce site. I'm not actually writing the cart to DB until the fill in all the data. This then "creates" an order in the DB. As i know cart abandonment is all too frequent I didn't want to be inserting orders unless I had it confirmed... I'll have to think about that one.

Thanks for the suggestions and the prompt response

Bye
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!