I have a website with mixed HTTP / HTTPS. When a user logs in, she receives two cookies:
- regular cookie with its (signed) username, login expiration time and the icon is "unsafe"
- secure cookie with its (signed) username, login expiration time and "safe" flag
- note that if you do not have the secure / insecure flag in the signed content, the attacker can intercept a regular cookie and then send it as secure (my first implementation made this error).
I use a regular cookie on HTTP pages (only to show my name while she browses the marketing part of the site). Then I use a secure cookie when it is on HTTPS pages (any pages related to a specific user).
I got the idea of Secure Cookies and the mixed use of https / http .
Everything works fine, except when a user switches from an HTTPS page to an HTTP protocol, all protected cookies are deleted, which means that they cannot return to HTTPS pages after visiting even one HTTP page. I should mention that there is a “301 Moved Permanentently” that redirects the user from HTTPS to HTTP.
My site does not clear a secure cookie. I know that the browser should not send me a secure cookie while the user is looking at the HTTP site, but I expected that the cookie will remain for life and will be sent if the user returns to the HTTPS page again.
I get the same behavior in Chrome, Firefox and IE. Any tips? Hope this is not the expected behavior ...
Ned Twigg May 24 '13 at 11:38 a.m.
source share