tags:

views:

38

answers:

3
+1  Q: 

Why is a file requested through https after it has already been fetched through http?

Hi all,

I am trying to understand Http/Https a little better and possibly what headers I'm sending clients.

Does the client have to re-fetch the same file under Https when it has already been fetched under Http, or do I need to send special headers?

Well, the reason the file is served over http/https is that it is simply a banner. When the user goes to a secure page, the banner is still in that particular template. Once the user does get the file via Https, the file is cached as expected.

Walter

+1  A: 

You don't need to fetch the file again (and definitely shouldn't).

HTTPS is HTTP combined with SSL/TLS. It creates a secure connection which can help prevent eavesdropping and man in the middle attacks.

You don't need to fetch it again over a secure channel - the content will be the same whether fetched via an encrypted channel or not.

If you fetch the content for a second time over a secure channel, someone could have still 'listened in' the first time and seen the data you fetched. The act of fetching if the second time is in no way connected to the first time.

If you require the added security of HTTPS, don't fetch the file over non encrypted HTTP at all, as it will not be secure and thus not protected.

There is no need to do an HTTP then HTTPS request, just do one HTTPS.

Michael Shimmins  2010-04-01 02:45:38
+1  A: 

https is considered a different "domain" from http and so if you send a file to a client over a http connection, then switch to https (even if you don't change anything else) the browser will still request the file again - as if the file wasn't in the cache. It's just like if you requested http://www.example1.com/file.txt and then http://www.example2.com/file.txt the might be the "same" file, but the browser doesn't know and so it's got to fetch it a second time.

Once it's requested it via https, though, it'll cache as normal.

Dean Harding  2010-04-01 02:54:20
A: 

A website could deliver different versions of a file over HTTP and HTTPS so the browser has to treat them as being separate.

All content is cached by URL. Since the URL contains the protocol, there will be separate cache entries for the HTTP and HTTPS version of a file.

The way to avoid this is to always deliver the HTTPS version of a file. You can't use the HTTP version of a secure page or you run into IE's dreaded mixed content warning:

http://blog.httpwatch.com/2009/04/23/fixing-the-ie-8-warning-do-you-want-to-view-only-the-webpage-content-that-was-delivered-securely/

HttpWatchSupport  2010-04-01 13:52:53

related questions

Retrieving HTTP status code from loaded iframe with Javascript
How to specify an authenticated proxy for a python http connection?
Why does HttpCacheability.Private suppress ETags?
How to respond to an alternate URI in a RESTful web service
Is there a reason to use BufferedReader over InputStreamReader when reading all characters?
What would be a good, windows and iis (http) based distributed version control system
Database query representation impersonating file on Windows share?
How do I use NTLM authentication with Active Directory
Process raw HTTP request content
How would you implement FORM based authentication without a backing database?
Reading "chunked" response with HttpWebResponse
Best way to let users download a file from my website: http or ftp
How do I convert a date to a HTTP-formatted date in .Net / C#
What is the best way to upload a file via an HTTP POST with a web form?
How do I stop IIS7 dropping my cookies?
Checking FTP status codes with a PHP script.
HTTP Libraries for Emacs
Accessing post variables using Java Servlets
HTTP: Generating ETag Header
HTTP: How to know when to send a 304 Not Modified response
How do I best detect an ASP.NET expired session?
How can I make the browser see CSS and Javascript changes?
How to curl or wget a web page?
The Definitive Guide To Website Authentication
Implementation of "Remember me" in a Rails application.