![]() ![]() Here's a simple Javascript solution that I came up with that sets a site-wide, insecure cookie based off of the secure cookies that are already set.įirst, I grabbed some javascript cookie functions.Tutorials install Session - Private Messenger Download for PC Windows 10/8/7 – Method 1: htaccess file hack, but I digress) to correct any HTTP resource links, just to be able to have a message in the header say "Welcome 'YourName'", but that just seems like overkill. Sure, I could purchase an SSL and go through the process of debugging two, third-party vendors, as well as doing a search and replace on our entire database (or an. (I'm guessing it's pulling in resources from HTTP domains, but that's another problem for another day) We have 15 years worth of video content, and our current video management vendor breaks when a video is embedded in an SSL. My company uses a third party vendor to manage our store portion of our site, and that store resides on the subdomain " ". I was running into a similar scenario as Gardner. However, there are certainly unique cases where being able to pick and choose between HTTP and HTTPS could come in handy. ![]() ![]() I'm fully aware that the recommended practice is to just force SSL on the entire site. However, today it's mainly a question of balancing development and operational costs. A few years back this might not have been feasible mainly because of CDNs not providing HTTPS support. Seriously, make the whole site use HTTPS. If feasible, HTTPS should be used for every page of the application, including static content such as help pages, images, and so on. If HTTP cookies are being used to transmit tokens, these should be flagged as secure to prevent the user's browser from ever transmitting them over HTTP. Is there a better way to achieve the same thing?įrom The Web Application Hacker's Handbook: If you can also change settings like language and country from within both sessions it can get messy (to implement or use). This is easy enough as long as the logged-in-flag is the only state stored in the insecure session. storing credit cards for later use in a web shop), you might be better off restricting your whole site to HTTPS.Īnother reason can be usability concerns: With your proposed scheme you're effectively managing two concurrent sessions for a single user.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |