stackoom
  简体   繁体   中英

Its possible to secure Jquery ui dialog with https when the rest of the page in http?

 原文  2010-06-21 18:15:58       php/ security/ jquery-ui/ https/ jquery-ui-dialog

Question

The Case: UI JQuery Dialog should contain credit data of customer, when the rest of the page is product catalog in http.

Question: Its possible to secure Jquery ui dialog with https when the rest of the page in http ? or all the page have to be https and not only dialog?

(What I know that dialog is part of the page because that its cant be secure, but my boss say i wrong).

Thanks

2 answers

solution1
 3 ACCPTED  2010-06-21 19:53:19

The answer is without a doubt NO . If you don't protect the entire session with HTTPS then an attacker will obtain the session id and use that instead of username/password.

What you are describing is a clear violation of The OWASP top 10: Broken Authentication and Session Management .

solution2
 1  2010-06-21 18:24:22

The "page" doesn't need to be HTTPS. Only the connection that is grabbing the info (as long as that data doesn't persist on the non-secure page to another non-secure page).

Security like this works on a transaction basis.

Once you load your page non-securely (HTTP) you can load up the secure content as long as your ajax is hitting a secure url (HTTPS).

Beyond that there are definitely other security concerns when dealing with secure user data, but as long as the call that is grabbing that data is done over an HTTPS connection, then you are good.

Another example of this is if you made a form taking users' information. The page containing the form doesn't need to be delivered via HTTPS, you only need HTTPS when the user is submitting that data to your app for processing. Don't thing of the "page" as being secured by HTTPS, just the "transaction".

EDIT:

Rereading your question, I think I may have made an assumption. IF you are grabbing this secure data after your page loads, and you do so using ajax over an HTTPS connection you are good.

But in your question you don't mention using ajax. If you are grabbing all data and sending it to the user all at once, and then just hiding/displaying it on the page then YES, that page needs to be HTTPS. You are still transferring secure data over an non-secure connection even if the end page is 'hiding' it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to Replace HTTP to HTTPS for page secure Redirect from secure https to http for only one page When refresh the page https is changed to http Https, Php secure login page? scraping a secure page https in php JQuery UI Dialog - Loading form from another page in a dialog and (upon submit) opening processing page in same dialog Passing AJAX variables to a Jquery ui dialog on the same page how to open a jquery-ui dialog from included page in php? Jquery UI Dialog Box Destroy a dialog in jQuery UI
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM