stackoom
  简体   繁体   中英

Using SSL domain for login to webapp on non-ssl domain

 原文  2013-02-22 07:33:19       php/ security/ session/ ssl/ login

Question

I'm building this webapp where users can build their own online presentation using html and javascript (these uploads will be on AWS S3, not on the server itself). They hookup their domainname to the application. I have the following setup but like to know if this is the safest setup in terms of security and/or what the risks are, thank you for helping out!

Global setup

  1. When a user login to the admin from a non-sl domain ( http://userdomain.com ), the loginform post the credentials directly to the SSL login domain ( https://logindomain.com )

  2. On logindomain.com the verification happens and when succesfull a new PHP session is started. The session is only valid for the userdomain.com. The session_id is also saved in the database for this user account.

  3. Then this session_id is send to userdomain.com over $_GET (2-way encrypted)

  4. Add userdomain.com the sended session_id is verified to the useraccount in the database and if ok a new session is started based on this session_id. When the new session is done, the session_id is being regenerated and updated in the database. This session is valid for a limited time (in terms session timout but also in the database)

  5. The user is then forwarded to the application (non-ssl) because he is loggedin

  6. On each page the users session is verified to the database based on session_id and valid timewindow.

The server is not a shared hosting setup so there are no other virtualhosts who share sesssion data.

Is this login setup safe or how can it be made more secure?

Thanks! Cheers

gr. Dennis

1 answers

solution1
 3  2013-02-22 07:37:18

When a user login to the admin from a non-sl domain ( http://userdomain.com ), the loginform post the credentials directly to the SSL login domain ( https://logindomain.com )

This suggests that the form it served over HTTP. It can therefore be intercepted and edited so that the credentials are captured by the attacker. This is not secure.

The user is then forwarded to the application (non-ssl) because he is loggedin

Any page that contains (or will contain) data that needs to be secure should be sent over SSL. You should not leave SSL once the user is logged in, doing so exposes you to Firesheep-style attacks .

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Problems with SSL to non-SSL htaccess redirect using .htaccess to force some pages using non-SSL on an SSL site PHP Session gets lost: Subdomains AND https (SSL to non-SSL) Session not saving when moving from ssl to non-ssl It ok for AJAX to take place over non-SSL? Forcing Non-SSL when specific url parameter is given Setup .htacces for non-ww and with ssl on multi domain jquery ajax post to non-ssl page while current page is ssl my custom.css file showing different with ssl and non-ssl urls magento 2 Load non-SSL dynamic page(jps) which make requests on iframe on SSL website?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM