How do sites securely support HTTP (non-SSLed) sessions?

Question

How do sites securely support HTTP (non-SSLed) sessions?

I note that some sites (e.g. gmail) allow the user to authenticate via https, and then switch to http using insecure cookies for the main use of the site.

How can I have http access to the session, but is it still safe? Or is it not safe, and that is why gmail makes it possible to protect the entire session using https?

Please provide an example of how this works and avoids attacks on session hijacking while maintaining access to authenticated content via http. I want to be able to implement such a scheme, if it is protected, in order to avoid the need to have the whole site as https for performance reasons.

+2

authentication cookies https session gmail

David gardner Apr 9 '09 at 9:56

source share

4 answers

, . ( ), cookie GMail HTTP.

, HTTPS (, , GMail).

+2

Thilo 09 . '09 10:00

, HTTP - / . , , HTTP-cookie- ( , ); .

+1

Piskvor 09 . '09 10:05

. " ". , / , - .

SSL.

+1

dr. evil 09 . '09 10:06

cwap · Accepted Answer · 2009-04-09T10:13:05+0000

As Tilo said, but I will explain a little further :)

Stateless web server! This is really an authentication problem. You can’t just log in and then say “from now on, this user is logged in” - you need to somehow determine which user he is requesting a new site this time.

The usual way to do this is to run sessions. If you download packet network traffic during login and then browse the site, you will usually notice something like this:

: . ! (SSL/HTTPS , "--" ).

: . cookie.

- , : . , . .

.. HTTP . , cookie- ( ) . - ( , , ), / , HTTPS. , ( : P). cookie , , cookie ( " " ).

, HTTPS. , , , :)

(, , cookie )

How do sites securely support HTTP (non-SSLed) sessions?

More articles: