Security of HTTP based authentication

Dave Hodgkinson davehodg at gmail.com
Fri Jan 14 13:53:35 GMT 2011


On 14 Jan 2011, at 13:13, Ash Berlin wrote:

> On 14 Jan 2011, at 13:04, David Precious wrote:
>> On Thu, 2011-01-13 at 14:09 +0000, Andrew Black wrote:
>>> I have often wondered about that - what is the risk in mixing HTTP
>>> images and HTTPS text? 
>> 
>> One reason could be that if the web app didn't include 'secure' in the
>> Set-Cookie header, the session cookie could be sent in the clear for the
>> image requests too, assuming they're requested from the same domain as
>> the rest of the page.
>> 
>> Of course, marking the cookie as secure (to be sent only over HTTPS
>> requests) would take care of that, as would requesting images from a
>> different domain as often seen (ebaystatic.com etc).
> 
> 
> The other reason for using another domain (or multiple domains) for serving static content is that browsers will only open a fixed (4? 6?) number of concurrent connections to a single domain - by putting static content on another domain you get higher parallelism.

Looking at firebug suggests 2 connections in firefox.


More information about the london.pm mailing list