I want to enable the user to log in on a http page with out redirecting them to https. This is so that the user does not loose state on the page they are viewing.
When the user clicks on something that requires login, a modal login form pops over the page asking for details. They can then login using ajax and the modal form disappears without state being lost. However this is not secure, the password is being sent over plain text.
I could use postMessage to send the username/password to a hidden iframe with a location loaded using https. This then sends the login request securely and posts success/error back to the main page.
Are there any security considerations I am missing with this scenario.
In particular, man in the middle. Am I right in thinking that the http javascript could be substituted using man in the middle and this could be used to capture the password and sent elsewhere before it even reaches the https iframe?
In case you are considering an man-in-the middle attacker you have to use only https. Everything else would be insecure as the attacker would have the ability to rewrite all links to https resources to regular https
Or if your page does not allow http for that particular resources the attacker could simple run an proxy accepting http from the client and change it to https while sending it to the server.
Even without man-in-the-middle attacks an attacker could “steal” an authenticated session (usually the cookies) the way FireSheep or DroidSheep do. The password would be safe in this case but the attacker could still do all the things on your web page authenticated as the attacked different user.