4

I have read on some blog (sorry for not mentioning the reference but I can't find it anymore) that you will lose all your work on securing your site if you redirect a user from an https page to an http page.

So, could someone please explain to me if I am right or wrong here in the following scenario:

  • Is it right practice to use https on the login page then redirect him to Admin Page with http, or will this will create a security issue like Session Fixation hijacking, stealing session, etc.?

  • Or must I keep the Admin Page also in https?

Another side of the question is: will https allow caching of static files?

I have read other articles here but I am still confused as some say 'yes' and some say 'no'; also some say it depends on browser.

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
DevMania
  • 2,311
  • 4
  • 25
  • 43

2 Answers2

5

In your instance (in only securing the login page with HTTPS) while login details will be protected (e.g. username/password), your users will be susceptible to Session Hijacking.

Whether you use a mixture of HTTP/HTTPS or full HTTPS depends on your situation. Amazon for instance, will use HTTPS for the login, but you'll browse the site with HTTP, but as soon as you go to a sensitive area (Order details screen, change account/password details etc.) it switches to HTTPS and asks you to re-authenticate. Re-Authenticating the user after switching from HTTP to HTTPS is the key to stop Session Hijacking because you're effectively issuing a new Session token. So if a user steals the session token, they still don't have your username/password and can't access your account section.

If the admin area is particularly sensitive then just HTTPS the whole thing. Google found the overhead from using full HTTPS was between 1-5% overhead on the CPU, hardly anything basically.

As for caching static files on HTTPS I'm not sure, but this SO post suggest it'll cache as normal Will web browsers cache content over https

Community
  • 1
  • 1
Sunday Ironfoot
  • 12,840
  • 15
  • 75
  • 91
  • Man really great answer and Hint of an example like Amazon, could you tell me how I can repatriate users when he goes back to HTTPS area like Amazon ? – DevMania Aug 31 '11 at 01:02
1

Everything must be used with https. If you switch over to http, everybody can see the content being sent, which means those security issues you mentioned will emerge.

The reason is that you have to identify your client in order to assign access rights in your admin site. One possibility to do so, is sending back a token (some hash or whatever). Depending on the token you know if it's an authenticated client or not. But everybody else does see this token => security issue.

Of course you could use the previous https session to exchange a private key. And use it to encrypt your http stuff somehow. But this is a bad idea, since https does this much more conveniently..

duedl0r
  • 9,289
  • 3
  • 30
  • 45