Do you force your web pages to use SSL? Many times people just enable SSL only on login pages. But if we do that how are we going to protect the session key (sent with cookie) while accessing non-ssl pages? So, my question is :
Is it wise to force SSL on all the pages of your app or just the sign in page?
Vasan Subramanian
Previous generation techie
My suggestion is to enable SSL for all pages. Reasons:
Pros:
Cons:
But, IMO, the performance impact is going to be very minimal. On the server side, if you have a load balancer (e.g., AWS ELB) it will deal with your encryption/decryption so your own server needs to do nothing extra.
On the browser side too, but for very old browsers / old mobile phones, it is unlikely a user will notice the difference.
So, unless your tests conclusively prove that non-SSL pages load significantly faster, and you don't mind sacrificing SEO or extra hassles for that speed, you should not be considering a mixed website.