tags:

views:

50

answers:

2

I login to a webpage using http:// I get redirected by javascript to https://. This opens a login page under https. After logging on successfully the next page is in http again. Why didn't the next page open with https as well. I am using JETTY as web server.

+4  A: 

Are you posting your login form to http://mysite.com/login.php?

If so, I'd recommend using a relative link (e.g. <form action="login.php" method="POST">)

Xorlev
Word of caution: If you use relative links your login page needs to be requested over HTTPS or else the secrets will be transferred in plaintext by default. I'd recommend forcing HTTPS for the login form.
Hannson
A: 

Encryption is usually only used when transferring sensitive data such as usernames and passwords (or your online bank account).

For an otherwise public website like StackOverflow it's impractical to use HTTPS for anything other than the login credentials because if every logged in user at StackOverflow would use HTTPS for every page-view the site could be too expensive to run because encryption is resource heavy which means it would require more hardware.

The server-side software could work something like this at the login page:

  1. User goes to login page http://mysite.com/login
  2. Login page is displayed. The HTML form points to https://mysite.com
  3. User types username/password and submits the form over an encrypted session
  4. User lands on "Login successful" page which redirects to the unencrypted http://mysite.com/

HTTP supports redirects in the header using the Location command:

Location: http://www.example.org/
Content-Type: text/html
Content-Length: 174

Hope this helps!

Hannson
I wanted the session to remain https which I got it to work via redirect. If I type http://ipaddress. I get redirected to https://ipaddress and the session is https. However since port 80 for http is open, i can still access pages via http after I login. So it seems I can access both http and https. I would like it to be https only. It may impact speed but that is fine with me. is there a way that if the user types http://ipaddress/jsp/page.jsp they will get error page or some error.
Jim