Login from HTTP to HTTPS

2020-04-17 04:37发布

My website is, by default, on HTTP. I do have a certificate that enables HTTPS, but only certain areas on it force a secure connection.

The login is processed via Ajax, and I want to start using SSL on that, even if the request is coming from HTTP.

I tried forcing the address for the request to have HTTPS, and it replies perfectly. However, on the ajax callback, it seems like the session was never set, despite the reply being ok.

If the request comes from HTTPS, everything goes smoothly.

Why does this happen?

I can understand why a HTTPS to HTTP request is denied by the browser, but the reverse situation (HTTP to HTTPS) has a peculiar result, to say the least, since the browser doesn't throw any kind of error. The session simply doesn't seem to have never been started after the Ajax request is done, despite all the data coming from the reply telling me it was.

1条回答
放我归山
2楼-- · 2020-04-17 05:31

You login system is likely to be based on a session information and/or a cookie.

Cookie set via HTTPS and flagged as secure (see section 4.2.2 Set-Cookie Syntax) cannot be read on HTTP, for security reasons.

Therefore, what's likely happening in you system, is that your users are authenticated via HTTPS and they will be logged in as long as they keep using HTTPS. On HTTP, the session will not exist.

You should either not flag that specific cookie as secure or switch your entire site to HTTPS (recommended option). As of 2016, it doesn't really make any sense to have only certain pages of a website under HTTPS if you already have your site listening to HTTPS.

查看更多
登录 后发表回答