SSL Best Practice ?

jasonyoung

Does anybody have a suggestion on when to redirect a user to the secured (https) side of a site?

My specific scenario is, I want to offer users a"value added" area which requires a username/password. The real question here is should the page which prompts them for credentials be secure, or the page the logon redirects them to?

If I'm looking at a logon form, should I already be on https?

Thanks!

MarkR

In order that you don't give the user mixed messages, I'd say

Logon form should be on HTTPS
Anything that they enter private data in should be on HTTP before and after entering it

If you have other, public areas, you might want them customised per user, in which case maybe you'll want those served as https too.

Technically, if you allow them to maintain their session with a non-secure cookie, then their account could be compromised. If you're worried about that, have any authenticated user go through any page which cares via HTTPS.

What we do, is insist that all admins' cookies are secure, but not for normal users, on the grounds that if their accounts are compromised, no really private data can be obtained (only history of purchases and their address, NOT cc details etc, which we don't store).

The admins cookies are secure, therefore they have to be on HTTPS to be authenticated. Our logon pages are secure for all users.

Mark

jasonyoung

Good enough for me unless anybody else has something convincing to post.