安全 cookie 和混合 https/http 站点使用 [英] Secure cookies and mixed https/http site usage

问题描述

许多网站似乎都支持 https，但不使用安全 cookie.我想让我的网站使用安全 cookie，但允许使用 http 访问某些内容.

Lots of sites appear to support https but don't use secure cookies. I want to make my site use secure cookies but to allow for some content to be accessed using http instead.

一种明智的方法似乎是为真实会话设置一个安全的 cookie，以及一个非安全的 cookie，它只是一个标志，表明用户是否已登录(以显示不同的内容)标头，例如注销链接而不是登录链接).此 cookie 不包含任何真实"会话信息，只是为了使站点可以为登录用户显示的页面与站点 http 部分的已注销页面略有不同.

A sensible way to do this appears to be to have a secure cookie for the real session, and a non-secure cookie which is just a flag to say if the user is logged in or not (to display different things in the header, like a logout link instead of a login link). This cookie wouldn't contain any "real" session information and is just so that the site can show pages slightly differently for logged-in users compared to logged-out ones on http portions of the site.

将整个站点设为 https 是另一种选择，但这似乎比普通 http 慢很多，因此并不理想.

Having the whole site as https is another option but this appears to be quite a bit slower than plain http and so is not really ideal.

为什么网站不使用这种设置并拥有安全的 cookie?如今，cookie 被盗的可能性似乎使安全 cookie 成为必需品.有没有更好的方法来实现同样的目标?

Why don't sites use this kind of set-up and have secure cookies? The possibility of cookie theft seems to make secure cookies a necessity nowadays. Is there a better way to achieve the same thing?

推荐答案

您提出的解决方案似乎可行，只要您不介意非授权人员能够查看非安全 (http)站点的一部分就好像他们已登录"——即只要站点的 http 部分不包含任何敏感信息，登录和未登录用户之间的唯一区别是标题中的一些无害的东西.

The solution you propose seems like it would work, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header.

它不经常使用的原因之一可能是:

The reason it is not used very often may be one of:

• 这种情况可能并不常见.通常，如果您非常关心确保网站的一部分安全，您会将登录会话限制在该安全部分，或者您会让整个网站始终使用 HTTPS(如 Paypal).
• 现有的解决方案是安全的，而且功能还不止于此，例如，在 HTTPS 登录表单中登录某人并在将其传输回 HTTP 的同时维护该会话.OpenID 就是一个例子.也想想 flickr 或 gmail:他们的登录页面始终是 HTTPS，但是一旦会话开始，您就会迁移回 HTTP，同时安全地维护会话.

更新(2014 年 8 月)

Update (Aug 2014)

自从我在 2009 年写这篇文章以来，在登录屏幕上建立安全连接但在登录后返回到 HTTP 的做法几乎消失了.

Since I wrote this back in 2009, the practice of having a secure connection for the login screen but dropping back to HTTP once logged in has all but disappeared.

在侧面使用 HTTPS 的开销不再被视为大问题.由 Google 首创的新 SPDY 协议(现已演变为 HTTP/2)得到跨浏览器和主要网络服务器的支持，并提高了 HTTPS 速度.

The overhead of using HTTPS side-wide is not seen as much of a big deal anymore. The new SPDY protocol pioneered by Google (now evolved into HTTP/2) is supported cross-browser and by major web servers and improves HTTPS speed.

最后，隐私被视为比以往任何时候都更重要，即使是对身份验证不重要的操作，例如撰写评论、上传照片等.

And lastly, privacy is seen as more important than ever, even for actions that aren't critical to the authentication, such as writing comments, uploading photos, and more.

Google 最近甚至表示，仅支持 HTTPS 的网站将开始在搜索引擎排名中受益.

Google has even said recently that sites which are HTTPS-only will start to benefit in search engine rankings.

这篇关于安全 cookie 和混合 https/http 站点使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！