Security of HTTP based authentication

Leo Lapworth leo at
Wed Jan 12 07:41:39 GMT 2011

On 12 January 2011 07:26, Zbigniew Lukasiak <zzbbyy at> wrote:

> >From :
> "a large number of websites, although using encrypted HTTPS
> communication for user authentication (i.e. the login page),
> subsequently send session cookies and other data over ordinary,
> unencrypted HTTP connections for performance reasons. Attackers can
> therefore easily intercept the cookies of other users and impersonate
> them on the relevant websites"
> So what is the current 'state of art' solution - all application data
> through HTTPS and only images via HTTP?

We set 2 cookies, https (session only) and http (x days)

- allows viewing of sensitive information
- updating of any account information
- must login each session
- ALL page content is https (e.g. images/js/css as well), we do not mix with

/account/ and actually the rest of /
- User object available on every page... but restricted...
- Only has basic viewing of non-sensitive information
- Can actually update some VERY mundane information - saved items (we do not
have a shopping basket so this couldn't pollute an order)
- Lets users get on with 80% of stuff without having to login each time
(works for our specific senario).

Hope that helps


More information about the mailing list