Security of HTTP based authentication
ash_cpan at firemirror.com
Fri Jan 14 13:13:28 GMT 2011
On 14 Jan 2011, at 13:04, David Precious wrote:
> On Thu, 2011-01-13 at 14:09 +0000, Andrew Black wrote:
>> I have often wondered about that - what is the risk in mixing HTTP
>> images and HTTPS text?
> One reason could be that if the web app didn't include 'secure' in the
> Set-Cookie header, the session cookie could be sent in the clear for the
> image requests too, assuming they're requested from the same domain as
> the rest of the page.
> Of course, marking the cookie as secure (to be sent only over HTTPS
> requests) would take care of that, as would requesting images from a
> different domain as often seen (ebaystatic.com etc).
The other reason for using another domain (or multiple domains) for serving static content is that browsers will only open a fixed (4? 6?) number of concurrent connections to a single domain - by putting static content on another domain you get higher parallelism.
More information about the london.pm