1

I am here as a developer of a website. My website got different modules among which one function is to process credit card. In order to process credit card I need to implement SSL layer and process the pages. For rest of modules the SSL is optional.

Now my points are:

1.) Is the location of file for http and https same?

2.) Can the session of http and https be shared? this is required as i need user login information and cart item information.

Improve this question

1 Answer 1

Reset to default
4

Preface: For most small-time Web site developers, you should not be writing modules to handle credit card data, unless you are prepared to spend a fortune (of both time and money) on implementing PCI standards, audits, regulatory compliance, etc. You've been warned!

Now on to your questions:

  1. Assuming you're using Apache, the HTTP and HTTPS versions of your site are declared in VirtualHost directives in your httpd.conf. (RHEL puts the SSL configuration in conf.d directory.) Now, each virtual host can have its DocumentRoot configured individually. So you can choose whether you want them to be the same or not.

  2. Sharing session data between HTTP and HTTPS requires careful attention. In particular, you can't use the same session ID on both HTTP and HTTPS versions of your site--because as soon as the session ID is transmitted over unencrypted HTTP, all session security is essentially lost.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Is there some good articles for making secure and reliable session sharing between http and https

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.