Handling mixed SSL sites
Posted: Sat Sep 03, 2005 12:09 am
Does anyone have any experience/advice about organizing a mixed-SSL site?
Ie you have both SSL and "regular" HTTP traffic and want to lessen the percentage of pages that hit SSL. A good portion of the visitors are not "users" and will not be logging in. Everything they view should be fine to keep in the non-SSL section.
Obviously login and account creation need to be handled under the SSL protocol pages. Some of the edit profile page would also need to be protected from line-snooping. However most of the content wouldn't require SSL protection. At the same time it would be nice to be able to configure sessions to use_cookies_only and use_secure_cookies -- however at present some pages use sessions that wouldn't otherwise require SSL.
In the past I've had three SSL options: NEVER, LOGIN, ALWAYS and setup two "baseURLs" to append paths to: $baseURL and $secureURL. Under "NEVER" both are http:// (used in testing environments without SSL). Under "ALWAYS" both are https://. Under "LOGIN" base is http: and secure is https://
Then I simply build links using the appropraite base and one of the initial includes will redirect if required to change protocols.
It's worked for a few years, but I'ld be interested in hearing what other people have done.
Ie you have both SSL and "regular" HTTP traffic and want to lessen the percentage of pages that hit SSL. A good portion of the visitors are not "users" and will not be logging in. Everything they view should be fine to keep in the non-SSL section.
Obviously login and account creation need to be handled under the SSL protocol pages. Some of the edit profile page would also need to be protected from line-snooping. However most of the content wouldn't require SSL protection. At the same time it would be nice to be able to configure sessions to use_cookies_only and use_secure_cookies -- however at present some pages use sessions that wouldn't otherwise require SSL.
In the past I've had three SSL options: NEVER, LOGIN, ALWAYS and setup two "baseURLs" to append paths to: $baseURL and $secureURL. Under "NEVER" both are http:// (used in testing environments without SSL). Under "ALWAYS" both are https://. Under "LOGIN" base is http: and secure is https://
Then I simply build links using the appropraite base and one of the initial includes will redirect if required to change protocols.
It's worked for a few years, but I'ld be interested in hearing what other people have done.