保护cookie和混合https / http网站使用 [英] Secure cookies and mixed https/http site usage

问题描述

很多网站似乎都支持https，但不使用安全Cookie。我想让我的网站使用安全的cookies，但允许使用http代替访问一些内容。

Lots of sites appear to support https but don't use secure cookies. I want to make my site use secure cookies but to allow for some content to be accessed using http instead.

这样做的一个明智的方法似乎是有一个安全cookie，以及一个非安全的cookie，它只是一个标志，用于说明用户是否登录（在标题中显示不同的东西，比如注销链接，而不是登录链接）。此Cookie不包含任何真实会话信息，只是使网站对登录用户的网页显示略有不同，而在网站的http部分则与已注销的网页相比。

A sensible way to do this appears to be to have a secure cookie for the real session, and a non-secure cookie which is just a flag to say if the user is logged in or not (to display different things in the header, like a logout link instead of a login link). This cookie wouldn't contain any "real" session information and is just so that the site can show pages slightly differently for logged-in users compared to logged-out ones on http portions of the site.

将整个网站作为https是另一个选项，但是这看起来比普通http慢很多，所以不是很理想。

Having the whole site as https is another option but this appears to be quite a bit slower than plain http and so is not really ideal.

为什么网站不使用这种设置并具有安全的Cookie？ Cookie窃取的可能性似乎使得安全的cookie现在是必要的。有没有更好的方法来实现同样的事情？

Why don't sites use this kind of set-up and have secure cookies? The possibility of cookie theft seems to make secure cookies a necessity nowadays. Is there a better way to achieve the same thing?

推荐答案

你建议的解决方案似乎它的工作，不介意未经授权的人能够看到网站的非安全（http）部分，就好像他们已登录一样 - 即只要网站的http部分不包含任何敏感信息，以及

The solution you propose seems like it would work, as long as you don't mind non-authorized people being able to view the non-secure (http) part of the site 'as if they are logged in' - ie as long as the http part of the site does not contain any sensitive information, and the only difference between logged in and not-logged-in users is something harmless in the header.

未经常使用的原因可能是以下之一：

The reason it is not used very often may be one of:

• 这种情况可能并不常见。通常情况下，如果您足够关注部分网站的安全性，则可以将登录会话仅限于该安全部分，或者让整个网站始终使用HTTPS（如Paypal）。


• 先前存在的解决方案存在安全，并且能够实现这一点，例如以HTTPS登录表单登录某人，并在将其转换回HTTP时维护该会话。 OpenID的例子。也可以考虑flickr或gmail：他们的登录页面总是HTTPS，但一旦会话开始，您迁移回HTTP，同时安全地保持会话。

• This scenario may just not be very common. Usually if you care enough to make part of your site secure, you'd restrict the login session just to that secure part, or you'd make the entire site always use HTTPS (like Paypal).
• Pre-existing solutions exist which are secure and which are capable of more than this, for example logging in someone at an HTTPS login form and maintaining that session while transferring them back to HTTP. OpenID's an example. Also think flickr or gmail: their sign in page is always HTTPS, but once the session's started you migrate back to HTTP while maintaining the session securely.

更新（2014年8月）

在2009年，为登录屏幕建立安全连接，但是一旦登录就恢复到HTTP的做法已经消失。

Since I wrote this back in 2009, the practice of having a secure connection for the login screen but dropping back to HTTP once logged in has all but disappeared.

使用HTTPS端的宽度不再被视为一件大事。由Google开创的新SPDY协议（现在演变为HTTP / 2）支持跨浏览器和主要网络服务器，并提高HTTPS速度。

The overhead of using HTTPS side-wide is not seen as much of a big deal anymore. The new SPDY protocol pioneered by Google (now evolved into HTTP/2) is supported cross-browser and by major web servers and improves HTTPS speed.

最后，

Google最近甚至表示，对于认证不重要的操作（例如撰写评论，上传照片等）那些仅限HTTPS的网站将开始在搜索引擎排名中受益。

Google has even said recently that sites which are HTTPS-only will start to benefit in search engine rankings.

这篇关于保护cookie和混合https / http网站使用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！