Is it correct to switch from HTTPS to HTTP (say by clicking a click which has full path in the href – with HTTP). Appreciate if someone let know what are the implications in such cases.
Thanks.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it correct to switch from HTTPS to HTTP (say by clicking a click which has full path in the href – with HTTP). Appreciate if someone let know what are the implications in such cases.
Thanks.
This actually can be a security risk, it depends on your situation.
If you create a session in that HTTPS part, and then visit a HTTP page of the same domain, the session cookie will be sent along with the unsecure HTTP request (plaintext). This makes your site vulnerable to session hijacking, an attacker can use this session id and has the same privileges as the logged in user has.
In PHP you can prevent this behaviour, calling the
session_set_cookie_params()function, setting the$secureparameter to true. This tells the browser, to send the cookie to HTTPS pages only.