Home/ Questions/Q 7666983
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T14:58:47+00:00

I have a user login/reg system with a user management admin area. Just some

  • 0

I have a user login/reg system with a user management admin area.

Just some background:

Currently the login is all ‘ajaxy’ so the user clicks login and the loading gif swirls around while in the background the details are checked, sessions created.

If all goes well the client side javascript refreshes the page to the correct location.

the questions

Now if I wanted to use SSL, what do I do?

    1. The “ajax” call – I need to secure this – do I do this by making the call to https – is that enough?

    1. Should the redirect after login also go to https

(the site owner should already have a SSL certificate etc)

Thanks

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Everything needs to go through SSL.

    1. If the page is HTTP and the Ajax goes to HTTPS then you’ll bounce off the same origin policy
    2. If the conditions are as above but you use CORS to work around the policy then a man-in-the-middle attack could alter the page the request is made from and add (for example) extra JS to steal the credentials from the page (instead of from the HTTP request)
    3. If you redirect to HTTP once the user is logged in, then you are vulnerable to the Firesheep problem

    So display the login page via SSL, and once the user is logged in, keep using SSL.

    • 0