weixin_33724570 2016-01-15 13:26 采纳率: 0%
浏览 64

从HTTP登录到HTTPS

My website is, by default, on HTTP. I do have a certificate that enables HTTPS, but only certain areas on it force a secure connection.

The login is processed via Ajax, and I want to start using SSL on that, even if the request is coming from HTTP.

I tried forcing the address for the request to have HTTPS, and it replies perfectly. However, on the ajax callback, it seems like the session was never set, despite the reply being ok.

If the request comes from HTTPS, everything goes smoothly.

Why does this happen?

I can understand why a HTTPS to HTTP request is denied by the browser, but the reverse situation (HTTP to HTTPS) has a peculiar result, to say the least, since the browser doesn't throw any kind of error. The session simply doesn't seem to have never been started after the Ajax request is done, despite all the data coming from the reply telling me it was.

  • 写回答

1条回答 默认 最新

  • weixin_33693070 2016-01-15 13:33
    关注

    You login system is likely to be based on a session information and/or a cookie.

    Cookie set via HTTPS and flagged as secure (see section 4.2.2 Set-Cookie Syntax) cannot be read on HTTP, for security reasons.

    Therefore, what's likely happening in you system, is that your users are authenticated via HTTPS and they will be logged in as long as they keep using HTTPS. On HTTP, the session will not exist.

    You should either not flag that specific cookie as secure or switch your entire site to HTTPS (recommended option). As of 2016, it doesn't really make any sense to have only certain pages of a website under HTTPS if you already have your site listening to HTTPS.

    评论

报告相同问题?

悬赏问题

  • ¥15 Stata 面板数据模型选择
  • ¥20 idea运行测试代码报错问题
  • ¥15 网络监控:网络故障告警通知
  • ¥15 django项目运行报编码错误
  • ¥15 请问这个是什么意思?
  • ¥15 STM32驱动继电器
  • ¥15 Windows server update services
  • ¥15 关于#c语言#的问题:我现在在做一个墨水屏设计,2.9英寸的小屏怎么换4.2英寸大屏
  • ¥15 模糊pid与pid仿真结果几乎一样
  • ¥15 java的GUI的运用