Design advice for a small ecommerce site (https)

[paulusNewbius]

Hi All, I could do with some advise on designing a simple e-commerce site!

 

I want a secure area (https) to contain my login scripts and customer account pages.

I have been told the best practice for this is to purchase a new domain e.g. secure.domain.com and to buy a valid ssl certificate.

 

I have files, such as images and javascript files that I want to share between the secure and unsecure pages.

 

On my server, these two sites will need two separate directories. E.g.

 

/var/www/

  unsecured-site/

    images/

    jsscripts/

    index.php

    ...

  secured-site/

    index.php

    ...

 

I heard that if I symlink the image directory (and javascript directory, etc) from the non-secured site to the secured site,

then users would not get any warnings about mixed security contents. Is this true?

 

Are my overall thoughts above about how to design this website valid? Anything to add?

 

[alexweber15]

im sure someone with more https experience can confirm mine or give you a more accurate answer but as far as i know:

 

1) switching back and forth between http and https WILL generate browser warnings

2) i personally think it compromises the sites security overall (if you transmit any kind of sensitive info over http) - but i have no concrete source to back me on this one

3) the domain doesn't really matter, its the hosting that does.  if you really want to make it as secure as possible DON'T get shared hosting.  and if you must, get all the extra bells and whistles you can as far as SSL, unique IP, etc.  but really, getting a dedicated server is correct thing to do.

 

there might be a loophole you can explore using iframes and ajax to load the js, css and images from a non https location (again no info to back this up sorry) but either way if you're gonna use ajax in the first place you should really go 100% SSL.

 

so just merge that directory structure and you're good to go!