How to redirect from HTTPS to HTTP without annoying error messages

Question

I want to redirect users, after HTTPS login, to the HTTP pages on the site. Using HTTPS for the whole site is not going to happen.

What I have so far is the followi

Answer 1

I am considering black-listing IE6 so that only it gets the slow meta refresh and everyone else gets the fast 302.

I would do something like that. Also include a plain HTML link in the body for accessibility.

Note that some other browsers do give a similar warning about leaving an HTTPS site, but in their case it is accompanied by a (generally pre-ticked) “don't ask me again” button. So by the time they get to your site they will almost certainly have told that warning to disappear. This doesn't make the warning less pointless, but at least it alleviates the problem.

3. The secure server sends a 302 redirect to the client

You shouldn't 302 in response to POST. A theoretical browser that took the HTTP RFC seriously might respond to that by re-POSTing the form to the new URL. (Which, ironically, would make IE6's warning about information “being retransmitted to a nonsecure site” less misleading.) Instead use “303 See other”.