I use SSL for my login and shopping cart pages. Should I use SSL for other pages too?
SSL is essential when sensitive data is sent over the Internet, like login details and credit card info. It’s actually most secure to use SSL on all pages. But, that can slow your site down considerably. If you can’t use SSL on every page, here’s an important precaution to take.
Remember, apart from the password and credit card details, there’s another piece of data that should be sent only over an encrypted connection. That’s the token that an authenticated user receives. For the length of a session, that’s as powerful as the password and grants users access to the shopping cart. This token might come in different forms: it’s the "AuthCookie" in .Net, it’s often the JSESSIONID cookie in jsp applications when the session token is also the authentication token. Whichever form it may take, that token should be sent only over SSL.
How do you ensure that? If that token is sent as a cookie (and it most likely is), then set the secure attribute for the cookie. The secure attribute tells the browser to send the cookie only over an SSL connection. There is no easy way to do it if the token’s sent as a query string variable, or hidden variable. [That’s another reason why authentication tokens should be implemented as cookies.]
Since the token will now be sent only on SSL connections, you can’t use the token for your non-SSL pages. So if you need to validate the user or session even from non-SSL pages, you will need an addition (non-secure) token that tracks the user’s session.
- Use different tokens for granting access to non-SSL pages vs SSL pages
- Send the higher privilege token only over SSL connections
- Use the "secure" attribute of the cookie to ensure the token is sent
only on SSL links
- To access non-SSL pages,use the regular token
We discussed protection for session tokens in this Palisade quiz.