Well, it's easier just to use the servlet session tracking - you can ensure the
session carries from your insecure to SSL server by using the same DNS name for
both.
As to using a DB, this is unnecessary if you use the same Tomcat instance(s)
for both - just build the cart as a Java data structure and attach it to the
HttpSession, and retrieve it again when you reconnect to the same session via
the SSL path.
If you do need to pass session ID's and are constructing your own, make sure
they are hard to guess, like the session tracking id in the appserver.
"Nathan N. Vuong" wrote:
> All,
>
> Would like to get a consensus on what is the best practice to implement the
> Shopping Cart concept. The requirement is to use non-secured (HTTP) for
> shopping, browsing, and adding items. Then use secured (HTTPS/SSL) to
> capture shopper's info and for checking out. For shopping, items can be
> maintained via "session attributes" or DB. However, I'd like some ideas on
> how to retrieve/transfer the shopping items to HTTPS/SSL site at check out
> time. My initial thought is to store the items in a DB while shopping and
> track with a session ID, and pass the same ID as "parameter" over to HTTPS
> site to be used to retrieve the shopping items from the DB. Any feedback is
> greatly appreciated.
>
> With Regards,
> Nathan
> email: [EMAIL PROTECTED]
