Is it wrong to configure a webserver to map both HTTP and HTTPS traffic to the same document root?

Question

Is there anything wrong with configuring a webserver to map SSL traffic (port 443) to the same document root as normal traffic (port 80)?

Using the same document root for both http and https means you need to implement the following:

1. On each page that needs to be secure, there needs to be some application code that redirects the user to the https version if they somehow got to the http version (or to rediect the user to the login page if they have no session).
2. The login page always needs to redirect to the https version.
3. For pages that are accessible via both http and https, you need to set a canonical URL to ensure it doesn't appear like you have duplicate content.

Is there a better way to configure encryption of user account pages? Is there a best practice to separate website into HTTP and HTTPS sections?

Answer 1

It's not necessarily wrong to do this, but as your points 1..3 show, it introduces complications. It seems to me that setting up a separate document root might be a lot simpler than working around the complications.

Answer 2

In Internet Information Server 7.X you can define a "secure path" which is require to access with HTTPS and you can redirect the user to a user-friendly error page.

Maybe this can be a good solution to mix the document root and keep parts of the application secured.

Answer 3

Redirecting http automatically to https allows for man-in-the-middle attacks and is therefore not recommended. A man-in-the-middle could manipulate your HTTP traffic to send you to a malicious HTTPS site that resembles your HTTPS content.