Security of HTTP based authentication

Zbigniew Lukasiak zzbbyy at gmail.com
Thu Jan 13 13:28:04 GMT 2011


On Wed, Jan 12, 2011 at 8:41 AM, Leo Lapworth <leo at cuckoo.org> wrote:
> On 12 January 2011 07:26, Zbigniew Lukasiak <zzbbyy at gmail.com> wrote:
>
>> >From http://en.wikipedia.org/wiki/HTTP_cookie#Cookie_hijacking :
>>
>> "a large number of websites, although using encrypted HTTPS
>> communication for user authentication (i.e. the login page),
>> subsequently send session cookies and other data over ordinary,
>> unencrypted HTTP connections for performance reasons. Attackers can
>> therefore easily intercept the cookies of other users and impersonate
>> them on the relevant websites"
>>
>> So what is the current 'state of art' solution - all application data
>> through HTTPS and only images via HTTP?
>>
>
> We set 2 cookies, https (session only) and http (x days)
>
> /account/secure/...
> - HTTPS
> - allows viewing of sensitive information
> - updating of any account information
> - must login each session
> - ALL page content is https (e.g. images/js/css as well), we do not mix with
> HTTP
>
> /account/ and actually the rest of /
> - HTTP
> - User object available on every page... but restricted...
> - Only has basic viewing of non-sensitive information
> - Can actually update some VERY mundane information - saved items (we do not
> have a shopping basket so this couldn't pollute an order)
> - Lets users get on with 80% of stuff without having to login each time
> (works for our specific senario).
>
> Hope that helps

Thanks!

To add some more context to my question - I am now analyzing what kind
of authentication models I should support - that is write some
exploratory code to check that they are more or less easily realizable
- in WebNano.  So what I am looking for are the more universal ways.
But I am also thinking about what I should use in Nblog - to make it a
finished product.

After your reply and some more research I think I'll settle with the 3
levels model:

1. HTTP without auth
2. HTTP with auth
3. HTTPS with auth

At level 2 someone could also implement additional checks - like
including from time to time an empty image via HTTPS to auth the
unencrypted session with the secure cookie, tie the session to IP,
etc. - but for now I just want to get the overall model right.

You wrote that you don't send images via HTTP on a HTTPS page - what
are the reasons for that?

Cheers,
Zbigniew


More information about the london.pm mailing list