Switching Between Http and Https Pages with Secure Session-Cookie

  • Home
  • Languages
  • PHP
  • Switching Between Http and Https Pages with Secure Session-Cookie

Secure cookies and mixed https/http site usage

The solution you propose seems like it would work, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header.

The reason it is not used very often may be one of:

  • This scenario may just not be very common. Usually if you care enough to make part of your site secure, you'd restrict the login session just to that secure part, or you'd make the entire site always use HTTPS (like Paypal).
  • Pre-existing solutions exist which are secure and which are capable of more than this, for example logging in someone at an HTTPS login form and maintaining that session while transferring them back to HTTP. OpenID's an example. Also think flickr or gmail: their sign in page is always HTTPS, but once the session's started you migrate back to HTTP while maintaining the session securely.

Update (Aug 2014)

Since I wrote this back in 2009, the practice of having a secure connection for the login screen but dropping back to HTTP once logged in has all but disappeared.

The overhead of using HTTPS side-wide is not seen as much of a big deal anymore. The new SPDY protocol pioneered by Google (now evolved into HTTP/2) is supported cross-browser and by major web servers and improves HTTPS speed.

And lastly, privacy is seen as more important than ever, even for actions that aren't critical to the authentication, such as writing comments, uploading photos, and more.

Google has even said recently that sites which are HTTPS-only will start to benefit in search engine rankings.

Loosing cookie when swich from http to https

No, there isn't. The cookies are local to the domain, and the http and https pages are considered to be in different domains.

The https pages are encrypted, so sending the same cookies for a http request would leak that information, and compromise the encryption.


Related Topics

How to Change PHP's Eregi to Preg_Match

Strip Tags and Everything in Between

Case Insensitive Xpath Searching in PHP

Hide Variable Product Dropdown That Has a Unique Variation Selected by Default in Woocommerce

How to Regex-Replace Multiple <Br /> Tags with One <Br /> Tag

PHP Split Array into Smaller Even Arrays

How to Populate Dependable Drop-Down Using Ajax and PHP

Decode a Quoted Printable Message in PHP

Mysqli Binding Params Using Call_User_Func_Array

PHP - Plus Sign with Get Query

Routing Controllers in Subfolders Using Codeigniter

How to Get Primary Key of Table

Updating from MySQL to MySQLi

Laravel Tokenmismatchexception in Ajax Request

PHP See Only 20 Uploading Files at a Time

Get Text from <Option> Tag Using PHP

Can PHP's Glob() Be Made to Find Files in a Case Insensitive Manner

Get MySQL Query Results as Their Native Data Type


Leave a reply



Submit