tags:

views:

50

answers:

2
Q: 

HTTPS switches to HTTP

I login to a webpage using http:// I get redirected by javascript to https://. This opens a login page under https. After logging on successfully the next page is in http again. Why didn't the next page open with https as well. I am using JETTY as web server.

+4  A: 

Are you posting your login form to http://mysite.com/login.php?

If so, I'd recommend using a relative link (e.g. <form action="login.php" method="POST">)

Xorlev  2010-03-04 21:47:51
Word of caution: If you use relative links your login page needs to be requested over HTTPS or else the secrets will be transferred in plaintext by default. I'd recommend forcing HTTPS for the login form.
Hannson  2010-03-04 22:20:54
A: 

Encryption is usually only used when transferring sensitive data such as usernames and passwords (or your online bank account).

For an otherwise public website like StackOverflow it's impractical to use HTTPS for anything other than the login credentials because if every logged in user at StackOverflow would use HTTPS for every page-view the site could be too expensive to run because encryption is resource heavy which means it would require more hardware.

The server-side software could work something like this at the login page:

  1. User goes to login page http://mysite.com/login
  2. Login page is displayed. The HTML form points to https://mysite.com
  3. User types username/password and submits the form over an encrypted session
  4. User lands on "Login successful" page which redirects to the unencrypted http://mysite.com/

HTTP supports redirects in the header using the Location command:

Location: http://www.example.org/
Content-Type: text/html
Content-Length: 174

Hope this helps!

Hannson  2010-03-04 22:18:12
I wanted the session to remain https which I got it to work via redirect. If I type http://ipaddress. I get redirected to https://ipaddress and the session is https. However since port 80 for http is open, i can still access pages via http after I login. So it seems I can access both http and https. I would like it to be https only. It may impact speed but that is fine with me. is there a way that if the user types http://ipaddress/jsp/page.jsp they will get error page or some error.
Jim  2010-03-09 18:41:33

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.