Alpha Video Training
Results 1 to 13 of 13

Thread: SSL and non-SSL on a high traffic website

  1. #1
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default SSL and non-SSL on a high traffic website

    I have an Alpha app that already has 15 instances of Alpha WAS to support its heavy traffic. I need to use SSL for the payment pages because it includes credit card information. So my site needs to be part non-SSL, and part SSL. There are simple instructions on how to do this, where you define one or more Alpha WAS instances with the SSL option. But I already have to have 15 instances to support my traffic, and a load balancer to balance the load over those 15 instances. I can't 'cheat' and have 7 non-SSL and 8 SSL because I won't know where the users are concentrated - on the payment pages or elsewhere. I have to assume full traffic on both SSL and non-SSL.

    So, assuming I need all of those instances to support traffic, it seems I also need the same number of instances to support the SSL traffic. So 15 non-SSL and 15 SSL or 30 instances. Does anyone know the answer to any of the questions below:

    • Will all of the session variables be carried over from the non-SSL instance to the SSL instance?
    • Will the load balancer even allow this to happen?
    • What else isn't going to make me happy?
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  2. #2
    "Certified" Alphaholic chadbrown's Avatar
    Real Name
    Chad Brown
    Join Date
    Aug 2007
    Location
    Aurora, Ontario, Canada
    Posts
    1,408

    Default Re: SSL and non-SSL on a high traffic website

    Steve is there any reason not to make all ssl?
    Chad Brown

  3. #3
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: SSL and non-SSL on a high traffic website

    Yes, all SSL is an option. I guess my answer is because I don't want to just because I have high volume. Amazon is all non-SSL until you get to the checkout page.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  4. #4
    VAR Pat Bremkamp's Avatar
    Real Name
    Pat Bremkamp
    Join Date
    Apr 2000
    Location
    Oregon, USA
    Posts
    2,594

    Default Re: SSL and non-SSL on a high traffic website

    Steve,

    In my experience, the SSL is actually a different domain, so none of the session variables will carry over. You'll need to send a token in the url or use an http post to indicate which order to process, then use that to go to the tables to get the order info.

    However, the load question is more what activity each person will have. The non-SSL side will have the casual lookers, the robots, the browsers and the ordering users going through a number of pages or lookups, while the payments page could be as little as a single grid. As you know, it's not the number of connections, but how busy the connections are.

    So, I think you'll find the SSL needs less than the non-SSL needs. No idea what the ratio would be, but a guess would be about 1 SSL for every 4 or 5 non-SSL.

    Pat
    Pat Bremkamp
    MindKicks Consulting

  5. #5
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: SSL and non-SSL on a high traffic website

    I will have to see what other websites do when they shift from HTTP to HTTPS for checkout. I can ensure everything required by the checkout process is stored to the database and then pass the CartID to the checkout page. I happen to have more than normal number of session vars that need to be available on that checkout page, so need to figure out what to do with those, again probably ensuring the values are in the database and can be recreated using the CartID.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  6. #6
    "Certified" Alphaholic
    Real Name
    Scott
    Join Date
    Mar 2010
    Location
    Toronto,ON
    Posts
    1,030

    Default Re: SSL and non-SSL on a high traffic website

    Why not make a table and store all the variables you need?
    Then write post to another page with the tables primary key id.

    Use the other page (on a seperate domain) to connect to database1 and load the details from that table.

    As far as im concerned - most part SSL sites are 2 seperate domains. And basically youd set your non SSL up in one farm and your SSL site up in another farm. You could load balance them seperately and they would be completely independant of each other.

    Theoretically that should work - although ive never worked with farms or part SSL sites, but I usually notice the url is a subdomain

    e.g mysite.com checkout.mysite.com



    Also - you could store something like this (i added this because you said you had an unusual amount of variables so usually you use an EAV structure (entity-attribute-value))

    CartVariables
    cartid (foreign key to cart, cascade delete, cascade update)
    varname
    varvalue
    protected (tinyint(1))

    1 ulink 01d0ad0210kd201dk 1
    1 myvar var1value 1
    1 myvar2 var2value 0


    Then youd be able to load your cart variables from your new domain and set them to local variables for processing.

    The protected flag is just there in case for some reason you need to repopulate the session in the checkout page (so youd probably want to know what is protected or not - but session variables should always be protected imo), but for the most part you could use local variables. You may want to set the cart id, ulink and something else in session.

    Page 1 (checkout)
    -Load from cart using cartid
    -Load cart variables and assign to local scope variables (either to a property array or use some dynamic variable creation)
    -Show a confirmation
    -Redirect to checkout processor using the cartid in session

    Processor (page 2)
    -Load the cart again
    -Process payment etc etc

    Receipt (page 3)
    -Load the cart again
    -Show a summary of items in a printable receipt
    __
    Last edited by aburningflame; 12-02-2010 at 07:22 AM.

  7. #7
    Member
    Real Name
    Gregory Baird
    Join Date
    Oct 2007
    Location
    Northern California
    Posts
    74

    Default Re: SSL and non-SSL on a high traffic website

    Steve

    The problem is that Alpha server can only answer to one port I have brought this to Richard's attention All other web servers are capable of dual answering that is how they do it The only way to do this in Alpha that I have figured out is to have two alpha servers running one on port 443 and the other on port 80 and pointing to the same webroot folder just haven't figured out how to SHARE the cookie / session Not sure if a page redirect would carry the session id with it.

    Greg
    Last edited by glbaird; 12-02-2010 at 12:57 PM.

  8. #8
    Member
    Real Name
    Rod McLeish
    Join Date
    May 2010
    Posts
    43

    Default Re: SSL and non-SSL on a high traffic website

    Steve,

    Would you mind sharing how many hits you are getting at this site or how many users it is serving concurrently? I have just finished my first large application with Alpha Five and am thinking about a SAAS application with Alpha Five. My biggest fear is the server itself and how many instances would be required if the concept took off. While Alpha helps us from a developer perspective the pages developed using grids are fairly "heavy" in terms of page size and thus limits server throughput.

    Thanks,

    Rod

  9. #9
    Member
    Real Name
    Rod McLeish
    Join Date
    May 2010
    Posts
    43

    Default Re: SSL and non-SSL on a high traffic website

    Steve,

    From a session perspective, I am not sure how the server treats sessions from a SSL vs non-SSL perspective but if the sessions were stored as cookies then this should not be an issue.

    Rod

  10. #10
    Moderator Steve Wood's Avatar
    Real Name
    Steve Wood
    Join Date
    Nov 2003
    Location
    Bay Area, California
    Posts
    8,827

    Default Re: SSL and non-SSL on a high traffic website

    how many instances would be required if the concept took off
    Rod, I'm not going to discuss that on the forum, but please call or email me if you want to know the result of my testing in this area.
    Steve Wood
    Join the ALPHA DEVELOPERS NETWORK
    There is no Cloud. It's just someone else's computer.
    Web - Mobile - Hosting - Products - Frameworks - Developer Resources
    AlphaToGo | IADN (100% Alpha Anywhere Websites)

  11. #11
    Alpha Software Employee Lenny Forziati's Avatar
    Real Name
    Lenny Forziati
    Join Date
    Nov 2001
    Location
    Alpha Software
    Posts
    4,680

    Default Re: SSL and non-SSL on a high traffic website

    Quote Originally Posted by RodMc View Post
    Steve,

    From a session perspective, I am not sure how the server treats sessions from a SSL vs non-SSL perspective but if the sessions were stored as cookies then this should not be an issue.

    Rod
    The sessions will NOT be shared between non-SSL and SSL.

    Lenny Forziati
    Vice President, Internet Products and Technical Services
    Alpha Software Corporation

  12. #12
    "Certified" Alphaholic
    Real Name
    eric
    Join Date
    Mar 2009
    Location
    Amsterdam
    Posts
    1,284

    Default Re: SSL and non-SSL on a high traffic website

    Quote Originally Posted by Lenny Forziati View Post
    The sessions will NOT be shared between non-SSL and SSL.
    I think these subjects should be easier to do .
    Define AFAS as an [session] broker manager capable of running serveral instances without concern of ssl yes or no.
    Thats results to a new kernel for AFAS but a opening to other great opertunities.

    my2p

  13. #13
    Member
    Real Name
    Doug Page
    Join Date
    Jan 2002
    Location
    Vancouver, BC Canada
    Posts
    963

    Default Re: SSL and non-SSL on a high traffic website

    Steve,

    I know you mentioned Amazon going back and forth but many sites are now heading to full security all the time. Look at the announcement from Hotmail who now enable you to use https throughout the site.

    3 weeks ago a little Firefox extension was released called FireSheep.

    http://codebutler.com/

    This thing has upset the apple cart as far as security on many sites are concerned. It is now very easy to hijack wireless connections and take control of the website they are on eg) Facebook, Twitter, etc.

    A quick google on firesheep should keep you reading for quite a while and perhaps change your mind about not just leaving a site secure.

Similar Threads

  1. SSL help
    By reedallenbrown in forum Application Server Version 9 - Web/Browser Applications
    Replies: 0
    Last Post: 05-29-2009, 10:58 AM
  2. How to track website traffic
    By byte1inc in forum Application Server Version 8
    Replies: 4
    Last Post: 08-01-2008, 04:49 PM
  3. SSL and Always Up
    By Bill Parker in forum Application Server Version 8
    Replies: 5
    Last Post: 10-18-2007, 03:29 PM
  4. SSL
    By Gregory R. Zilliox in forum Web Application Server v6
    Replies: 2
    Last Post: 09-28-2004, 11:12 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •