有关从HTTPS重定向到HTTP的安全问题？ [英] Security concerns about redirecting from HTTPS to HTTP?

问题描述

我已经阅读了一些博客（很抱歉没有提及参考资料，但我再也找不到），如果您将用户从一个用户重定向，您将失去保护您网站的所有工作https页面到一个http页面。

所以，在下列情况下，有人可以向我解释我是对还是错：

• 在登录页面上使用https然后将其重定向到带有http的管理页面是否正确，或者这会产生安全问题，如会话固定劫持，窃取会话等？




• 或者我必须将管理页面也保留在https中吗？

问题的另一方面是：https是否允许缓存静态文件？

我在这里读过其他文章，但我仍然感到困惑，因为有人说'是'，有些人说'不';也有人说这取决于浏览器。

解决方案

在你的实例中（仅保护登录使用HTTPS的页面）虽然登录详细信息将受到保护（例如用户名/密码），但您的用户将容易受到会话劫持的攻击。<​​/ p>

您是否使用HTTP / HTTPS或完整HTTPS的混合取决于您的情况。例如，亚马逊将使用HTTPS进行登录，但您将使用HTTP浏览该网站，但只要您进入敏感区域（订单详细信息屏幕，更改帐户/密码详细信息等），它就会切换到HTTPS并询问你要重新认证。 从HTTP切换到HTTPS后重新验证用户是停止会话劫持的关键，因为您正在有效地发布新的会话令牌。因此，如果用户窃取会话令牌，他们仍然不会拥有您的用户名/密码，无法访问您的帐户部分。

如果管理区域特别敏感，那么整个事情就是HTTPS。 Google发现使用完整HTTPS的开销在CPU上的开销在1-5％之间，基本上几乎没有。

至于在HTTPS上缓存静态文件我不确定，但这篇SO帖子暗示它会像往常一样缓存网页浏览器会缓存内容https

I have read on some blog (sorry for not mentioning the reference but I can't find it anymore) that you will lose all your work on securing your site if you redirect a user from an https page to an http page.

So, could someone please explain to me if I am right or wrong here in the following scenario:

• Is it right practice to use https on the login page then redirect him to Admin Page with http, or will this will create a security issue like Session Fixation hijacking, stealing session, etc.?

• Or must I keep the Admin Page also in https?

Another side of the question is: will https allow caching of static files?

I have read other articles here but I am still confused as some say 'yes' and some say 'no'; also some say it depends on browser.

解决方案

In your instance (in only securing the login page with HTTPS) while login details will be protected (e.g. username/password), your users will be susceptible to Session Hijacking.

Whether you use a mixture of HTTP/HTTPS or full HTTPS depends on your situation. Amazon for instance, will use HTTPS for the login, but you'll browse the site with HTTP, but as soon as you go to a sensitive area (Order details screen, change account/password details etc.) it switches to HTTPS and asks you to re-authenticate. Re-Authenticating the user after switching from HTTP to HTTPS is the key to stop Session Hijacking because you're effectively issuing a new Session token. So if a user steals the session token, they still don't have your username/password and can't access your account section.

If the admin area is particularly sensitive then just HTTPS the whole thing. Google found the overhead from using full HTTPS was between 1-5% overhead on the CPU, hardly anything basically.

As for caching static files on HTTPS I'm not sure, but this SO post suggest it'll cache as normal Will web browsers cache content over https

这篇关于有关从HTTPS重定向到HTTP的安全问题？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！