What pages need to be secure?

I have a secure site and need some guidance about what pages need to be secure and what don't.


The username (if logged in) is shown on every page. So does everypage need to be secure if the user is logged on - or is it just pages with forms on them.


If it is just the form pages should I be worried about session hijacking (so the hacker can get the username). Passwords etc are not session variables - only the username and id.
Thanks

Generally, I only use secure pages where sensitive information like monetary transactions take place, such as a shopping cart checkout. Up until the time of the checkout, I wont secure it, and have never had "session hijacking" to be a major problem.

Does anyone else have any input on this?

I think you only need some pages to be secure. For example the page that contains the login form doesn't need to be secure, but the page that does the actual login does. Generally, I would make the pages that handle forms secure, perhaps some others too if there really is need to do it.

Why doesnt the login form need to be secure. Wont the password be sent unencrypted then? So I shouldnt worry about a hacker getting the username and userid and should just make the sensitive info secure?

Thanks

When the user comes to the form, there is no sensitive data moving. But when the form is sent, the username and password are sensitive. That's why the there should be action="https://blablabla/bla.php" in the form tag, but the form itself doesn't be on a secured page.

Another thing is how you use sessions. Should you store the username and password, or make it more secure and save only a randomly generated ID that makes the system recognize the user and computer. What I mean is, that you save a session id to the database's users table, and check that from the session variable. I think it might be more secure that way (not completely sure though.)

Okay. I've got that. Thanks.

I'll move the login and register form off the secure area. And just have the processing and other relevant pages on secure pages.

Thanks for your input

One little thing to add to this...

Sending _anything_ over https creates a heavy strain on the processor of the server - html is small but images can be big

A solution sometimes used is to have the actual pages you want secure on https and stuff like images on http

There is a small problem with this though (I'm sure you've seen it a few times)

If the browser detects mixed https and http it warns the user that certain parts of this page are insecure

The way around this is to use frames so, for example, only your forms and any images there are https while the rest of the site is normal http

Bit more complex to set up but not hugely so and where you need to update two or more frames at the same time a little bit of very simple JavaScript works perfectly

That's exactly why I asked the question in the first place. When the user is logged in the site slows to a crawl. It's just too slow. Thanks for the input

Well, now you both know why it happens and the solutions

Hope it helped

I wouldnt say HEAVY...a slightly elevated processor load perhaps, but not heavy. Any secure tunnel service will increase your overhead a little because of extra packet headers it has to process. All sites that I have seen, who use secure pages do just fine.

Modern day browsers will ask before they display non secure items. It isnt as much of a problem as it used to be.

Frames are a little bit of an outdated solution to this problem.....I look at a page with frames and I think gawdy. Web designers will take curb appeal over server load anyday. Although I do not like to argue this point, because I dont whole heartedly agree, some people will argue that javascript is turned off in some browsers and your site will not work if it is dependant on it.