Win a copy of Murach's Python Programming this week in the Jython/Python forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

HTTPS to HTTP - How secure?  RSS feed

 
Brian Ata
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys,

In my web application, during user login, account pages and checkout pages, I switch to https, but while user
is navigating the online store, catalogs and everything, I again switch back to http to preserve resources.

So far so good, but while switching back to http, naturally my session id becomes visible to maintain the session,
so the application becomes vulnurable to session id hijacking.

When I think about it, my heart tells me that after switching to the https, never switch back to http again. But
as I am checking commercial applications available such as amazon.com , they switch back and forth between
http and https.

So my question is, what is the correct way of doing this?
Should I stay in https or switch back to http when the user is not viewing secure content?

Thank you all for your pointers.
 
Lester Burnham
Rancher
Posts: 1337
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
You mention that you're switching back to HTTP "to preserve resources" - have you taken measurements to make sure you actually need to do that? Having been in the same situation with a particular web site some time ago, we found that we could switch to all HTTPS, all the time without causing undue strain on the servers. (Granted, it wasn't Amazon :-)

if the site password is protection-worthy, then so is probably all the data that is sent back and forth.
 
Brian Ata
Greenhorn
Posts: 27
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Lester Burnham wrote:You mention that you're switching back to HTTP "to preserve resources" - have you taken measurements to make sure you actually need to do that?


That is a very good point, actually we did no measurements at all, we are just trying to be as aware as possible future problems so
we can address them early in this stage of development.

But you are absolutely right, I guess we need to run some stress tests to see what is really happening , but before doing that, I guess we should
consider my question as a design principle question such as as once one switches to https, should he/she stay on https : - )

Lester Burnham wrote:if the site password is protection-worthy, then so is probably all the data that is sent back and forth.


Site is definitely password protection worthy since there exists an user account section of the application where the user stores their
contact information ( address, phone ) in addition to their preferred payment methods such as Credit Cards, Store Credit Accounts,
and Gift Cards.

Storing Credit Cards alone already forces us to take PCI-DSS Audit, so the data is worthy for protecting by law.
But even without the credit card data, as I mentioned we also store user's personal information , and that is alone worthy of protecting
I guess.

Thank you for your time and pointing out we need to do some stress test before really answering if we can preserve significant amount
of resource when we switch back to http.

Edit reason: typo..
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!