[Zope] Sharing session information between domains

Dylan Reinhardt zope@dylanreinhardt.com
24 Jun 2003 13:28:26 -0700 

I set up something like this that consisted of a two-way secure
conversation.  If we label the public server X and the secure server Y:

1. X prepares Y for client, shares some kind of token and/or cart id.
2. Client visits Y using specially constructed URL, token, etc.
3. Y retrieves cart securely from X each time data is needed.
4. Billing data entered into Y stays on Y
5. Y SSL-posts to X which items to mark as purchased.  

There are probably other ways to do this, but the above can be
implemented pretty easily with external methods and a crypto library.

HTH,

Dylan



On Tue, 2003-06-24 at 11:28, Alec Munro wrote:
> Hi all,
> 
> I have what I'm sure is the common predicament of having an SSL site 
> with a different domain than the non-SSL site. In fact, I have several 
> domains utilizing the same domain for SSL transactions. I need to figure 
> out a way of sharing session information between two domains, such that 
> the user can move relatively freely between the domains without losing 
> any information.
> Just for an example of how this needs to work:
> 
> user comes to site (session created, insecure)
> user adds product to shopping cart (insecure)
> user checks out (goes to secure site)
> user inputs payment info (secure)
> user remembers he forgot something, goes back to catalogue (insecure)
> user add another product to cart (insecure)
> user checks out, payment information already input (secure)
> user submits order (secure)
> 
> The important part is that the users personal information is never 
> transmitted insecurely, while the amount of information that is 
> transmitted securely is kept to a minimum.
> This seems like a relatively common problem, so I would appreciate any help.
> 
> Thanks for your time,
> 
> Alec Munro
> EOA Scientific Systems
> 
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://mail.zope.org/mailman/listinfo/zope-announce
>  http://mail.zope.org/mailman/listinfo/zope-dev )