Web Hosting Talk : Web Hosting Main Forums : Hosting Security and Technology : SSL and Sessions

[jon31]

Hey folks,

I'm creating a custom shopping cart, and it's a 3 step (3 page) process. When you go to step 1, the previous page's information is stored in a session. If these forms are being filled out on a SSL page, are the sessions secure, or are they not effected by the certificate?

Please advise.

Jon

[InstaCarma_carmen]

Hi Jon,

Sessions will not be affected by the ssl certificates if you pass them from normal (http) links to secure ssl links (https). But try to browse the pages via https to ensure that all the data is encrypted before processing.

Sincerely,
Carmen [carmen@instacarma.com]

[jon31]

The sessions are only being set and read between https pages, but does that mean that I need to kill the sessions as soon as the order is complete, so that if they do browse to a non-secure page, their session data would be exposed?

[garaget]

Quote:

Originally Posted by jon31

The sessions are only being set and read between https pages, but does that mean that I need to kill the sessions as soon as the order is complete, so that if they do browse to a non-secure page, their session data would be exposed?

From my understanding you should only worry about killing the session variables only if that info is valuable enough to keep off their screen other wise the sessions should time out anyway. I always clear my cart items after checkout so they don't add the same items again but your user info shouldn't really matter so they can keep shopping right?

[jon31]

Well I'm sending Credit Card information from one page (Step 2), to another page (Step 3), via a session. Could that be intercepted? Since sessions are just cookies stored on the server, they'd have to hack the server to get the sessions, right?