Forum Moderators: open
I will be allowing access to the shopping cart area in a normal HTTP area of the site, however when wishing to purchase moving the user to a secure HTTPS address.
The question is what is the best way to switch in and out of the secure area. The cart will be stored in SQL with access rights given by the user id stored in a session variable.
Due to using the session variable when it times out the cart is cleaned in the HTTP site. Therefore the way I was going to attempt the move from HTTP to HTTPS could possibly allow the session to time out on the HTTP side, this would then cause major problems.
I am aware of the StateServer state control system but am not completely aware fo how this works and if I can use it in this scenario.
Help would be greatly appreciated as I am nearing deadlines and am stuck.
Thanks in advance
J
The sue of SSL has never really been part of the sites that I have attempted, just haven't had the need to use it. If you have time a more indepth explanaition on how this would work would be excellent.
SSL requires getting a certificate. There really are two certificates necessary to make it work, one on the client's browser and one on the server. All the major browsers come with client certificates from the major certificate authorities, which you can see by going into IE's Tools Internet Options dialog. Click on the Content tab. Then click Certificates. Then click on the Immediate Certificate Authorities.
So if you obtain a certificate issued by one of those certificate authorities on your server, then one can talk to the other using SSL. A typical server certificate issued by one of these authorities costs $400 per year.
On the other hand, if you have only a few known people who will be hitting your web site, such as in a Business to Business (B2B) web site, then you can establish your own certificate authority. After you have your own certificate authority, you can issue your own browser and server certificates. Windows NT/2000/XP Server comes with certificate authority software as a checkbox in the setup. (One warning--sessions must be turned on for the certificate authority web site for this software to work--I spent a long time tracking this down when I had it turned off.)
Anyway, once you have certificates on both the browser and server, then they can talk using SSL. Normal web traffic (http) uses port 80 by default. Normal SSL traffic (https) uses port 443 by default. A web site can be configured to issue pages using both protocols (http and https). If it uses https, then the traffic is encrypted, sent over the wire, then decrypted on the other side. Whereas http traffic is not encrypted.
To summarize, if a page is requested with the url [domain.com...] then the traffic is sent to port 80 unencrypted. On the other hand, if a page is requested with the url [domain.com...] then the traffic is sent to port 443 encrypted.
A single web site can spit out pages using both protocols. You specify SSL port info in the IIS manager dialogs. Since both http and https are part of the same web site, then both share the same session info. If you want to restrict certain pages to a particular protocol, then you can either write code inside the page to reject it if it isn't SSL. Or you can specify in the IIS manager dialogs (in the Directory Security tab) that a page should only be served via SSL.
Because both http and https are part of the same web site, they should share session info. So your cart info will be maintained across the web site.
[edited by: Xoc at 9:17 am (utc) on Aug. 19, 2002]
Thanks again for your help
