On Tue, 2005-10-04 at 18:14 -0400, Dave Newton wrote: > Tim Coy wrote: > > >Point taken and I hadn't considered that. > >Most users tend to only login once they intend to make a purchase. Then all > >transactions are via SSL Including browsing for more items to purchase. > > > I haven't found that to be the case; I nearly always see just the > "important data" forms being protected via SSL, which is what I would > expect. > > In any case, sslext lets you set a "secure" property for each action; if > the user arrives at that page w/ a non-matching method (http/https) > it'll flop you into the right one.
The ideal mode of operation for SSLEXT is that the user does not get flopped, but rather gets linked or form-submitted to the correct scheme (http/https) in the first place. For instance, if you use the SSLEXT link tag, the current page was accessed via HTTP, and the link is to a page that should be secure, the SSLEXT link tag will render an absolute URL starting with https://. No flop (via redirect) is required. The SSLEXT form tag works similarly. Flopping can be bad in certain cases: 1. private data sent over HTTP 2. flie uploads fail on flops, IIRC If you do decide to rely on flopping (so you don't have to use the SSLEXT taglib), be sure to make any page that calls a page that you want to be secure as secure. For example: (example with both /showLogin.do and /doLogin.do marked secure) HTTP GET /showLogin.do (FLOP! redirect) HTTPS GET /showLogin.do HTTPS POST /doLogin.do is much better than: (example with only /doLogin.do marked secure) HTTP GET /showLogin.do HTTP POST /doLogin.do (FLOP! redirect, note that all redirects are GETs) HTTPS GET /doLogin.do?username=bob&password=everyoneknowsmypassword (I think SSLEXT might store the POSTed params in the session to avoid putting them in the redirect URL, but I can't remember.) -Max > > Dave > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
