I have a site which after the initial login pages (in https) should redirect to a http site.
I have noticed the session cookie is not carried over between the https and http requests.
What would be a secure way to do this?
Right now as an interim solution I generate a one time unique key to use the first time I move from https to http. This, after verified, re-creates the user session.
Asked
Active
Viewed 280 times
0

Itay Moav -Malimovka
- 52,579
- 61
- 190
- 278
-
Mostly right they way you do it. http://stackoverflow.com/a/7244166/156775 – Nishant Nov 04 '13 at 18:08
-
The cookie will be carried over if the secure flag is not set: https://www.owasp.org/index.php/SecureFlag . However this is a step in the wrong direction, see @Aurand's answer (+1'd). – SilverlightFox Nov 05 '13 at 16:12
1 Answers
1
What would be a secure way to do this?
There isn't one. At best you end up sending session tokens in the clear and are open to session hijacking. At worst, you expose the user to a MitM attack (even on the pages that both you and the user think are secure, as long as they got there from a http only page).
Serve the entire site over HTTPS. The overhead isn't that high and it removes so many potential security pitfalls.

Aurand
- 5,487
- 1
- 25
- 35