发表新帖
发表新帖

Secure popup login possible?

前端 未结
关注
3 672
一生所求
一生所求 2020-12-19 14:10

I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.

It has been brought to my attention

3条回答
  • 南笙
    南笙 (楼主)
    2020-12-19 14:40

    If initial request is being served by HTTP and you are using same channel to provide "HTTPS" links/forms etc, attacker will simply change that HTTPS to HTTP.

    This has been demonstrated by Firesheep

    What you can do is to serve HTTPS form over HTTP but enable HTTP Strict Transport Security

    Of course, I am assuming you are going to have link like https://login.site.com which will be served by http://www.site.com ... this way you have to create SSL certificate only for sub-site/ one virtual host

    0 讨论(0)
 看不清?
提交回复
热议问题