发表新帖
发表新帖

After login, should all pages be https?

后端 未结
关注
4 1375
醉梦人生
醉梦人生 2021-02-02 16:44

This will be a bit difficult to explain but I will try my best.

There is a website that has the login form on every page with username/password fields. These pages a

相关标签:
4条回答
  • 别那么骄傲
    2021-02-02 16:50

    According to The OWASP top 10 at no point can an authenticated session id be used over HTTP. So you create a session over HTTP and then that session becomes authenticated, then you have violated The OWASP Top 10 and you are allowing your users to be susceptible to attack.

    I recommend setting the secure flag on your cookie. This is a terrible name for this feature but it forces cookies to be https only. This shouldn't be confused with "Httponly cookies", which is a different flag that is helpful at mitigating the impact from xss.

    To make sure your users are safe I would force the use of HTTPS all of the time. ssl is a very lightweight protocol, if you run into resource problems, then consider chaining your https policies.

    0 讨论(0)
  • 臣服心动
    2021-02-02 16:51
    1. Yes. If the action URL is https, the form data is encrypted.
    2. Because of #1 you don't have to make the page https, but you may get mixed content warnings. And of course, a man-in-the-middle attacker could manipulate the login page to point to a different action URL.
    3. This is a decision for you to make. Clearly, any data transmitted over HTTP, whether cookies (including session cookies) or user data, can be intercepted and manipulated.
    4. Again, this is a trade-off based on performance and security.
    0 讨论(0)
  • 情书的邮戳
    2021-02-02 17:01

    In addition to what The Rook says, submitting a form from http to https is a risk for a couple of reasons:

    1. There is no "lock" icon on the page where people type in their username and password, so they have no way of knowing that their details are encrypted (except by "trusting you")
    2. If someone hijacked your page, your users would have no way to know that they're about to type in their username and password and be redirected to a malicious page (this is somewhat of a corollary to #1).

    This is a much simpler attack than http cookie interception, so it's actually an even bigger risk...

    But The Rook's point is important: you should never mix http and https traffic. On our websites, as soon as you're logged in, everything is https from that point on.

    0 讨论(0)
  • 旧巷少年郎
    2021-02-02 17:11

    Apart from the previous answers, since people tend to want to go from HTTPS to HTTP for performance reasons, this article about HTTPS at Google might be of interest. Its main message is:

    SSL/TLS is not computationally expensive any more.

    0 讨论(0)
 看不清?
提交回复
热议问题