Set a cookie coming from https on http site
Question
we are trying to create a ajax sign in control on our page. The thing is, that we want it to be secure, so when you are on our homepage, fe http: //page.com and you want to log in, then the ajax request (using jquery) with your login and password is going to https: //page.com/sign-in/ action.
The thing is, that normally we cannot send request like this, because of cross-domain security. On our singnin action we put header Access-Control-Allow-Origin which value points to our http site url, so it can make a login request.
This works fine, except one really important issue:
Https site returns a sign in user panel that we replace login form with. It also returns a cookie (typical .net authentication cookie). The cookie do not want to settle on our page - I guess that somehow our http page do not want to accept cookie from https action...
When we are on some other https site, and try to login, then it works fine and cookie is set.
How can we avoid this? How can we allow https action to set cookie on http site?
This is still the same domain name, just diffrent protocol..
1 answers
solution1
0 ACCPTED 2013-02-04 13:12:12
As some of users said, it turned out to be an insecure solution. Quentin pointed out that this is vulnarable to man-in-the-middle attack, so the solution is to put whole page on https domain and do not diferenciate the protocol by the type of content.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.