However, there are certainly unique cases where being able to pick and choose between HTTP and HTTPS could come in handy. I'm fully aware that the recommended practice is to just force SSL on the entire site. However, today it's mainly a question of balancing development and operational costs. A few years back this might not have been feasible mainly because of CDNs not providing HTTPS support. Seriously, make the whole site use HTTPS. If feasible, HTTPS should be used for every page of the application, including static content such as help pages, images, and so on. If HTTP cookies are being used to transmit tokens, these should be flagged as secure to prevent the user's browser from ever transmitting them over HTTP. Is there a better way to achieve the same thing?įrom The Web Application Hacker's Handbook: If you can also change settings like language and country from within both sessions it can get messy (to implement or use). This is easy enough as long as the logged-in-flag is the only state stored in the insecure session. storing credit cards for later use in a web shop), you might be better off restricting your whole site to HTTPS.Īnother reason can be usability concerns: With your proposed scheme you're effectively managing two concurrent sessions for a single user. If the business impact of sessions being hacked is high (e.g.The same is true for CSRF and UI redressing (aka click-jacking).Thus, according to risk-based prioritization developers should tackle XSS issues first because it provides a much bigger attack surface (the probability of an attack is much higher). cross-site scripting (assuming there is a vulnerability). Stealing session tokens via eavesdropping is much harder than e.g.I think the main reason for lack of adoption is risk management: Why don't sites use this kind of set-up and have secure cookies? However, I've rarely seen this implemented. I think the technique you described is the only sane way to secure cookies while making it possible for logged in users to browse HTTP pages as if being logged in. Transferring session cookies over HTTP has been bothering me for a while. Google has even said recently that sites which are HTTPS-only will start to benefit in search engine rankings. The new SPDY protocol pioneered by Google (now evolved into HTTP/2) is supported cross-browser and by major web servers and improves HTTPS speed.Īnd lastly, privacy is seen as more important than ever, even for actions that aren't critical to the authentication, such as writing comments, uploading photos, and more. The overhead of using HTTPS side-wide is not seen as much of a big deal anymore. Since I wrote this back in 2009, the practice of having a secure connection for the login screen but dropping back to HTTP once logged in has all but disappeared. ![]() Also think flickr or gmail: their sign in page is always HTTPS, but once the session's started you migrate back to HTTP while maintaining the session securely. Pre-existing solutions exist which are secure and which are capable of more than this, for example logging in someone at an HTTPS login form and maintaining that session while transferring them back to HTTP.Usually if you care enough to make part of your site secure, you'd restrict the login session just to that secure part, or you'd make the entire site always use HTTPS (like Paypal). This scenario may just not be very common.The reason it is not used very often may be one of: The rest of the groups are run by various community members.The solution you propose seems like it would work, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header. The groups marked with are run by Session team and are are also present as suggestions in the app itself. Announce the group link in the Session General Chat, Any moderator will add it to this list.If you want to add your open groups here, ![]() You can host more than one Open group (room) on a VPS Contact : Note : Share your open group with the community if you want people to join.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |