I have a site that has both HTTP and HTTPS pages.
I have tried the following to make cookies secure:
- Web.config
<httpCookies requireSSL="true" />with form authentication. - Forcing cookie to secure at
Application_End
In both case pages don't work with HTTP. I think above solution only works if all the pages use HTTPS.
How to resolved this puzzle?
I have a site that has both HTTP and HTTPS pages.
I have tried the following to make cookies secure:
- Web.config
<httpCookies requireSSL="true" />with form authentication. - Forcing cookie to secure at
Application_End
In both case pages don't work with HTTP. I think above solution only works if all the pages use HTTPS.
How to resolved this puzzle?
Share Improve this question edited Aug 3, 2013 at 2:41 Nikolai Samteladze 7,7976 gold badges46 silver badges71 bronze badges asked Aug 2, 2013 at 12:26 user1029468user1029468 311 silver badge5 bronze badges 1- 1 Is there a reason that you can't make all pages use HTTPS? – Brian Rogers Commented Aug 2, 2013 at 12:29
2 Answers
Reset to default 9The whole point of a cookie set as 'secure' is that it is only transmitted over https; the http pages will not receive a copy of it. From Wikipedia:
A secure cookie has the secure attribute enabled and is only used via HTTPS, ensuring that the cookie is always encrypted when transmitting from client to server. This makes the cookie less likely to be exposed to cookie theft via eavesdropping.
If you want to use a secure cookie, you need to ensure that all the pages use https.
The Question: How to resolved this puzzle , requires an analysis of the requirements and see if it would be better to use https for whole website or a bination of http & https.
Since you are also asking for an alternative in one of your above ments, I hope the below info may help you decide on alternatives.
Background:
Basically you use http for all pages that have nothing to do with sensitive data, and https on the pages that have sensitive data. Many times we don't prefer to use https for whole website as the data that travels is more and it takes time to encrypt and decrypt them , thereby adding up to the actual time it takes to load/display a page.
However, there are arguments against above mon notion and you can also find encouragement to use https for your whole website. Check this: How to implement HTTPS only on part of website?
And, YES, secure cookies can only be used on https pages.
Some suggestions
You should protect your sensitive data and this applies to Cookies too. If bad has to happen, check here how bad it can happen: Can some hacker steal the cookie from a user and login with that name on a web site?
You may divide your User data to secure and non secure. For example, on
Flipkart., We see that normally you can browse through the various items, do search , view details of every single item etc.., and all such pages arehttponly. The interesting part es when you finally proceed with buying and all those pages arehttps. This link can help you get started on this concept: http://www.codeproject./Articles/5523/Switching-Between-HTTP-and-HTTPS-Automatically OR: Setting up SSL page only on login page