Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Secure cookies and mixed https/http site usage

Tags:

security

https

cookies

session

Lots of sites appear to support https but don't use secure cookies. I want to make my site use secure cookies but to allow for some content to be accessed using http instead.

A sensible way to do this appears to be to have a secure cookie for the real session, and a non-secure cookie which is just a flag to say if the user is logged in or not (to display different things in the header, like a logout link instead of a login link). This cookie wouldn't contain any "real" session information and is just so that the site can show pages slightly differently for logged-in users compared to logged-out ones on http portions of the site.

Having the whole site as https is another option but this appears to be quite a bit slower than plain http and so is not really ideal.

Why don't sites use this kind of set-up and have secure cookies? The possibility of cookie theft seems to make secure cookies a necessity nowadays. Is there a better way to achieve the same thing?

like image 820
David Gardner Avatar asked Apr 02 '09 09:04

David Gardner

People also ask

What is an HTTP cookie used for?

Typically, an HTTP cookie is used to tell if two requests come from the same browser—keeping a user logged in, for example. It remembers stateful information for the stateless HTTP protocol.

Can you mix http and https?

This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS.

What is the advantage of a secure cookie?

Since it is only used in storing information and used for hypertext transfer protocol requests and data over the internet, exploits and hacks made through scripting are unable to access them. So a secure cookie's main benefit is that it can stop theft through cross-site scripting (XSS).

Can cookies be shared between http and https?

Cookies can't be shared between domains so the http and https pages would need to be on thesame domain as a minimum (which would mean having your own dedicated IP address and security certificate for your domain.

1 Answers

The solution you propose seems like it would work, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header.

The reason it is not used very often may be one of:

  • This scenario may just not be very common. Usually if you care enough to make part of your site secure, you'd restrict the login session just to that secure part, or you'd make the entire site always use HTTPS (like Paypal).
  • Pre-existing solutions exist which are secure and which are capable of more than this, for example logging in someone at an HTTPS login form and maintaining that session while transferring them back to HTTP. OpenID's an example. Also think flickr or gmail: their sign in page is always HTTPS, but once the session's started you migrate back to HTTP while maintaining the session securely.

Update (Aug 2014)

Since I wrote this back in 2009, the practice of having a secure connection for the login screen but dropping back to HTTP once logged in has all but disappeared.

The overhead of using HTTPS side-wide is not seen as much of a big deal anymore. The new SPDY protocol pioneered by Google (now evolved into HTTP/2) is supported cross-browser and by major web servers and improves HTTPS speed.

And lastly, privacy is seen as more important than ever, even for actions that aren't critical to the authentication, such as writing comments, uploading photos, and more.

Google has even said recently that sites which are HTTPS-only will start to benefit in search engine rankings.

like image 176
thomasrutter Avatar answered Oct 11 '22 13:10

thomasrutter
Sign in to Comment

Related questions

Firebase 3.x - Token / Session Expiration
Using sessions & session variables in a PHP Login Script
How do check if a PHP session is empty?
PHP Session timeout
Why is PHP session_destroy() not working?
How to set session timeout dynamically in Java web applications?
Why is "Expires" 1981?
How long will my session last?
What is the difference between 'session' and 'cookieSession' middleware in Connect/Express?
Looping Through All a Server's Sessions in PHP
Passport login and persisting session
How to use session in JSP pages to get information?
ASP.NET: How to access Session from handler? [duplicate]
Detect if PHP session exists
How do I save value in my own session variable in Magento?
PHP Sessions with disabled cookies, does it work?
List all active ASP.NET Sessions
Any way to share session state between different applications in tomcat?
PHP sessions in a load balancing cluster - how?
C# Clear Session

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!