When a page delivers secure and non-secure items over https, are the secure items compromised?

Question

I\'m not 100% sure that I\'m using the correct terminology or if I\'m leaving out information that is required to answer. So please be patient with me.

My client wan

Answer 1

If you identify your user based on a cookie, e.g. using a standard SessionId, then you are vulnerable, even if only referencing static images.

By default, the user's browser will resend the session cookie for each request to the same host, irrelevant of protocol. I.e. you securely authenticated your user using HTTPS on your login form, and ensure to continue using HTTPS for all sensitive pages...
However, you also include "non-sensitive" images over HTTP... the user's browser will happily send the sensitive session cookie over non-encrypted, non-secure, plain-text HTTP, when requesting those images.
Then it's just a matter of grabbing that cookie from HTTP, and impersonating your users back on the secure part of the site.

Note, this is by default. You CAN change this behavior, by adding the secure; attribute to your cookies. Depending on your framework, you can configure it to happen automatically. Again, this is not the default, you have to explicitly change it.
And while you're at it, add the httpOnly; attribute too.