I'm about to encrypt my website's login form and I was wondering if the user logging in needs to land on the login form at a HTTPS URL, or whether the form data can be posted to a HTTPS url from a HTTP url and still be encrypted?
views:
38answers:
2
+2
A:
Yes, it will be encrypted. The URL of the page from which the form is submitted doesn't matter, only the form target URL.
One thing to note, though, is that some browsers (IE 6, at least) will warn the user when submitting a secure form from an insecure page. Why that requires a warning and what the user is supposed to do about it, I have no idea, but it can confuse people (if they bother to read the warning).
Evgeny
2010-06-25 06:40:23
+1
A:
Yes, the login data is encrypted, but there is no obvious way for the user to know this. It also leaves users open to a man-in-the-middle attack because an attacker could simply change where the form posts to.
For a site that really needs security, it is highly recommend that you require https on any login page.
Robert
2010-06-25 07:41:00