I am getting my website ready to accept credit cards. I have the static IP and SSL purchased and installed. What is the best way to go about having my login.php page use https but all of the other pages use http? I’ve been told that having all my pages use https will slow things down, so I only want the login.php page to use it.
Thank you!!
Surely you want all the pages that someone visits to be served as https as well since they too have to pass information back and forth in order to track that the person is logged in.
All you need to do to switch between them is to use the full address with the http or https on the front.
Correct me if I’m wrong, but I should only use https for pages that require sensitive information, like a username, password, credit card, etc. Most sites I goto use https for logging in, and then http for the rest of the webpages that do not pass private information.
Once a person logs in, I don’t store their credit card in the session either, just basic name and email address.
If the password is sensitive information then the session id is also sensitive information since it provides most of the same access to the site. If someone steals the session id while someone is logged in then they can steal that person’s session and effectively be logged into their account without needing to know their password. You are then reliant on any additional security in web pages asking for the password to be re-entered even though they are already logged in to prevent the hijacker from being able to change the password and/or email address. If there is a credit card associated with the account then there would also be nothing to prevent the hijacker from making purchases using the account if the logged in pages provide that option.
Sounds like those sites you visit are nowhere near as secure as they ought to be. The only difference making the login page https and leaving the rest as http makes is that person using the man-in-the-middle attack to break in has to steal the current login by stealing the session id rather than stealing the password and logging in later - it then depends on what security is built into the individual pages as to what they can do with the hijacked session.