secure redirect from https to http

https://stackoverflow.com/questions/19774140

security
http
verification
https

03-07-2022
|

Question

I have a site which after the initial login pages (in https) should redirect to a http site.
I have noticed the session cookie is not carried over between the https and http requests.
What would be a secure way to do this?
Right now as an interim solution I generate a one time unique key to use the first time I move from https to http. This, after verified, re-creates the user session.

Solution

What would be a secure way to do this?

There isn't one. At best you end up sending session tokens in the clear and are open to session hijacking. At worst, you expose the user to a MitM attack (even on the pages that both you and the user think are secure, as long as they got there from a http only page).

Serve the entire site over HTTPS. The overhead isn't that high and it removes so many potential security pitfalls.

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow