[nycphp-talk] Switching Forth and Back Between HTTP and HTTPS
Michael B Allen
ioplex at gmail.com
Sun Aug 10 19:52:17 EDT 2008
On Sun, Aug 10, 2008 at 2:41 PM, John Campbell <jcampbell1 at gmail.com> wrote:
>> How do you handle this scenario?
>
> I looked at what amazon.com does and assumed they have it right. The
> only process that is https is the checkout process. Once you enter
> the checkout process, there are essentially zero links on the https
> pages.
>
> I feel that once someone clicks "checkout", there should be zero
> distractions. Amazon does a really good job with this; most of the
> airlines have checkout processes that include unnecessary stuff like
> site navigation.
>
> This doesn't really answer your question, but if the checkout process
> is really simple, the problem of http/https switching tends to go
> away.
The "no distractions" method is pretty much what my current site does.
But now I'm developing a generic framework and my new site will have
other pages aside from the cart that need to be protected. So I'm
trying to normalize things a little. I'd rather not use an application
specific solution.
I'm starting to think that the redirect technique is the way to go
since it can be cleanly implemented (see pseudo code below) in the
bootstrap orthogonally to everything else and can give total
separation regarding host, cookies sessions and so on if security is
critical.
$https_routes = array(
'cart' => true,
'account/logon' => true,
'contacts' => true,
);
$scheme = false;
if (does_request_target_match_route($https_routes)) {
if (!is_https()) {
$scheme = 'https://';
}
} else {
if (is_https()) {
$scheme = 'http://';
}
}
if ($scheme) {
header('Location: ' . rebuild_url_with_new_scheme($scheme));
exit();
}
Mike
--
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/
More information about the talk
mailing list