In my web application, during user login, account pages and checkout pages, I switch to https, but while user
is navigating the online store, catalogs and everything, I again switch back to http to preserve resources.
So far so good, but while switching back to http, naturally my session id becomes visible to maintain the session,
so the application becomes vulnurable to session id hijacking.
When I think about it, my heart tells me that after switching to the https, never switch back to http again. But
as I am checking commercial applications available such as amazon.com , they switch back and forth between
http and https.
So my question is, what is the correct way of doing this?
Should I stay in https or switch back to http when the user is not viewing secure content?
Thank you all for your pointers.
if the site password is protection-worthy, then so is probably all the data that is sent back and forth.
Lester Burnham wrote:You mention that you're switching back to HTTP "to preserve resources" - have you taken measurements to make sure you actually need to do that?
That is a very good point, actually we did no measurements at all, we are just trying to be as aware as possible future problems so
we can address them early in this stage of development.
But you are absolutely right, I guess we need to run some stress tests to see what is really happening , but before doing that, I guess we should
consider my question as a design principle question such as as once one switches to https, should he/she stay on https : - )
Lester Burnham wrote:if the site password is protection-worthy, then so is probably all the data that is sent back and forth.
Site is definitely password protection worthy since there exists an user account section of the application where the user stores their
contact information ( address, phone ) in addition to their preferred payment methods such as Credit Cards, Store Credit Accounts,
and Gift Cards.
Storing Credit Cards alone already forces us to take PCI-DSS Audit, so the data is worthy for protecting by law.
But even without the credit card data, as I mentioned we also store user's personal information , and that is alone worthy of protecting
Thank you for your time and pointing out we need to do some stress test before really answering if we can preserve significant amount
of resource when we switch back to http.
Edit reason: typo..