Security of HTTP based authentication
Leo Lapworth
leo at cuckoo.org
Thu Jan 13 13:32:28 GMT 2011
On 13 January 2011 13:28, Zbigniew Lukasiak <zzbbyy at gmail.com> wrote:
> On Wed, Jan 12, 2011 at 8:41 AM, Leo Lapworth <leo at cuckoo.org> wrote:
>
> > We set 2 cookies, https (session only) and http (x days)
> >
> > /account/secure/...
> > - HTTPS
> > - allows viewing of sensitive information
> > - updating of any account information
> > - must login each session
> > - ALL page content is https (e.g. images/js/css as well), we do not mix
> with
> > HTTP
> >
> > /account/ and actually the rest of /
> > - HTTP
> > - User object available on every page... but restricted...
> > - Only has basic viewing of non-sensitive information
> > - Can actually update some VERY mundane information - saved items (we do
> not
> > have a shopping basket so this couldn't pollute an order)
> > - Lets users get on with 80% of stuff without having to login each time
> > (works for our specific senario).
> >
> > Hope that helps
>
> You wrote that you don't send images via HTTP on a HTTPS page - what
> are the reasons for that?
>
Some browsers pop-up alerts if you have mixed HTTP/HTTPS on a page
Leo
More information about the london.pm
mailing list