I think I've now been able to setup a secure shopping site and I'm posting the experience here.
It's been a frustrating experience and I hope others can use this information while I'm open to any critique, especially if anybody can point out security deficiencies.
The shopping site should allow both http and https connections. I want visitors to default to http while any cart or checkout pages are to be served using https.
I've run into the situation where an anonymous user adds an item to their cart and the cart shows up empty. My anonymous user has uid == 0 (although the role id == 2 for anonymous).
I've been able to get the anonymous user to add items to their cart when accessing the site using https, however the cart shows up empty whenever the user accesses the site afterwards using http.
I've used the "Secure Pages" module, the "Ubercart SSL-module" and the "Secure Pages Hijack Prevention" module with varying levels of success.
First of all, if an anonymous user adds an item to their cart while using http and the cart shows up empty (in https), then it's possible that session.secure_cookie is on. This also occurs if anonymous adds an item to their cart using https and then switches back to http. The cart is emptied as soon as anonymous hits the site using http coming from https.
Explicitly disabling this in the (apache) site's configuration:
php_flag session.cookie_secure off
I have "Secure Pages" enabled but I'm not exactly sure if it's working. The fields for a secure and non-secure URL seem to be somewhat misleading. IIRC, http://fqdn is not a URL while http://fqdn/ is a (valid) url. "Secure Pages" seems to want a(n invalid) URL (without the trailing slash). Even if I enter http://fqdn and https://fqdn for non-secure and secure base URL (respectively), the module doesn't seem to do its job. I have enabled "Make secure only the listed pages." and the listed pages are:
node/add* node/*/edit admin* cart* user*
Still, the ubercart (cart & checkout) pages show up using http. It doesn't matter if I use '*cart*', '*cart/*' or even '*cart* *cart/* cart cart*', the ubercart cart & checkout pages are served using http.
I've used the ubercart ssl module but that lead to inconsistencies and the cart would frequently show up using http instead of the expected https.
With '$base_url' set to 'https://fqdn', I've setup apache to perform the following redirect:
<VirtualHost x.x.x.x:80>
ServerName http://fqdn
Redirect /cart https://fqdn/cart
...
</VirtualHost>
Now 1. anonymous users don't get an empty cart when adding an item to their cart, 2. anonymous users maintain their cart when they perform an http->https or https-> http switch and 3. all access to the cart (and checkout) is served using https.
I'm still a bit concerned about potential cookie-hijacking when alternating between http and https although the SP Hijacking Prevention module is enabled.
I'm sorry if I can't point out which module (setting) or apache directive causes this to break or what the exact behaviour is when one deviates from this setup, but at least this setup seems to do the job.
