stackoom
  简体   繁体   中英

secure redirect from https to http

 原文  2013-11-04 18:04:53       security/ http/ https/ verification

Question

I have a site which after the initial login pages (in https) should redirect to a http site.
I have noticed the session cookie is not carried over between the https and http requests.
What would be a secure way to do this?
Right now as an interim solution I generate a one time unique key to use the first time I move from https to http. This, after verified, re-creates the user session.

1 answers

solution1
 1 ACCPTED  2013-11-04 21:52:00

What would be a secure way to do this?

There isn't one. At best you end up sending session tokens in the clear and are open to session hijacking. At worst, you expose the user to a MitM attack (even on the pages that both you and the user think are secure, as long as they got there from a http only page).

Serve the entire site over HTTPS. The overhead isn't that high and it removes so many potential security pitfalls.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Is a POST from HTTP to HTTPS secure? Is it secure to submit from a HTTP form to HTTPS? Secure HTTPS transactions from HTTP client Do browsers follow 301 redirects from HTTP to HTTPS, on a secure site? security of http to https redirect How can I make my jsp webapp swtich from secure (HTTPS) to non-secure (HTTP) protocol? Redirect rule for only home page from http to https which web path is secure https to http or the opposite? Https (secure) lightbox login on a http page How to redirect HTTP requests to HTTPS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM