Reputation: 1
Sending cookies over HTTPS but HTML over HTTP
HTTPS is costly, so I want to send only the session cookies through HTTPS and the website HTML through HTTP (unsecured).
1) During login, cookies and login data are sent to user through HTTPS.
2) During page requests, the cookie is sent to server via HTTPS, but response (no cookies in response!) is sent over unsecured HTTP.
Is it possible to send cookies to server over HTTPS, but receive HTML over HTTP?
Reason for this is to eliminate changes of session hijacking. Sent HTML is not necessary to be secured.
Upvotes: 0
Views: 1137
Answers (3)
Reputation: 121
Remember that mixing HTTP and HTTPS is not secure, an attacker could influence your site modifing http resources.
Upvotes: 0
Reputation: 6554
Cookies are sent with EVERY request to the server. The only way around it is to send the cookies from one domain using HTTPS and to send everything else from another domain (or subdomain) using HTTP. This means you cannot take advantage of sessions or cookies when using HTTP.
The most practical way to do this is to request a very small page through HTTPS which has some javascript to request all the user specific data through HTTPS and request all the static information (images, html, css, etc) through plain old HTTP.
Upvotes: 0
Reputation: 799520
No. The response is performed in the same channel as the request, therefore both must be either HTTP or HTTPS.
Upvotes: 4
Related Questions
- What are the implications of sending cookies over secure connections in PHP
- Switching between HTTP and HTTPS pages with secure session-cookie
- Cookie across HTTP and HTTPS in PHP
- Is a cookie secure in a HTTPS connection?
- Cookie without Secure flag and HttpOnly flag set
- User authentication- Security risk passing session cookie over HTTP?
- HTTPS session cookie and post security with PHP
- Security concern when I transfer cookie session from HTTPS to HTTP
- PHP SESSION variables between https and http
- Google Chrome Cookies - HTTP & HTTPS