从HTTP登录到HTTPS [英] Login from HTTP to HTTPS
问题描述
默认情况下,我的网站使用HTTP.我确实有一个启用HTTPS的证书,但只有其中的某些区域会强制建立安全连接.
My website is, by default, on HTTP. I do have a certificate that enables HTTPS, but only certain areas on it force a secure connection.
登录是通过Ajax处理的,即使请求来自HTTP,我也想开始在其上使用SSL.
The login is processed via Ajax, and I want to start using SSL on that, even if the request is coming from HTTP.
我尝试强制请求的地址具有HTTPS,它可以完美地答复.但是,在ajax回调中,尽管回复正常,但似乎从未设置会话.
I tried forcing the address for the request to have HTTPS, and it replies perfectly. However, on the ajax callback, it seems like the session was never set, despite the reply being ok.
如果请求来自HTTPS,一切都会顺利进行.
If the request comes from HTTPS, everything goes smoothly.
为什么会这样?
我可以理解为什么浏览器拒绝HTTPS到HTTP请求,但是相反的情况(HTTP到HTTPS)产生了一种奇怪的结果,至少可以说,因为浏览器没有引发任何类型的错误.尽管Ajax请求完成后,会话似乎从未从未开始过,尽管来自回复的所有数据都告诉我它是.
I can understand why a HTTPS to HTTP request is denied by the browser, but the reverse situation (HTTP to HTTPS) has a peculiar result, to say the least, since the browser doesn't throw any kind of error. The session simply doesn't seem to have never been started after the Ajax request is done, despite all the data coming from the reply telling me it was.
推荐答案
您的登录系统可能基于会话信息和/或cookie.
You login system is likely to be based on a session information and/or a cookie.
通过HTTPS设置的Cookie和标记为安全的(请参见4.2.2 Set-Cookie Syntax部分)不能出于安全原因,可以在HTTP上阅读.
Cookie set via HTTPS and flagged as secure (see section 4.2.2 Set-Cookie Syntax) cannot be read on HTTP, for security reasons.
因此,您的系统中可能会发生的情况是,您的用户通过HTTPS进行了身份验证,只要他们继续使用HTTPS,他们就可以登录.在HTTP上,该会话将不存在.
Therefore, what's likely happening in you system, is that your users are authenticated via HTTPS and they will be logged in as long as they keep using HTTPS. On HTTP, the session will not exist.
您不应该将该特定cookie标记为安全,或者将整个站点切换为HTTPS(推荐选项).截至2016年,如果您已经让网站侦听HTTPS,那么在HTTPS下仅包含网站的某些页面确实没有任何意义.
You should either not flag that specific cookie as secure or switch your entire site to HTTPS (recommended option). As of 2016, it doesn't really make any sense to have only certain pages of a website under HTTPS if you already have your site listening to HTTPS.
这篇关于从HTTP登录到HTTPS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
