I am looking for the best-practice solution regarding how to secure a "shopping-cart" part of an otherwise (relatively) unsecure website.
The existing setup in the site uses an unsecure-cookie, and only secures (via SSL) the transaction of credentials. The rest of the site is accessed via HTTP and thus, data is transmitted unsecurely. This is not a problem for us, though.
However, now we are adding a "shopping-cart-esque" element to the site, and we wish to secure the checkout process. My idea so far was:
Notes and thoughts:
Is this considered a good solution? Is there a better practice that can be applied in this case? Is there anything that can be done to increase security even further without "over-doing" it?
Thanks in advance! Tom
I would recommend implementing J2EE security. You should have no problem using Struts.
Because you are using Cookies you force the client to have Cookies enabled on his/her browser.
You can rather force the user to log in using (J2EE security) when they want to use a basket and then only store the JSESSION (Container default) id on the client browser (user does't need to be authenticated in order to create a session).
If you provide a session timeout of 30min and keep all the client info in the session it is kept at the server and disposed of if the client disappears.
One is able to have Cookies disabled on the browser and still have the server recognize the client. See J2EE Spec
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.