开发者

Checking for a secure cookie and redirecting a non-HTTPS parent inside an HTTPS modal

I have an issue with mixing HTTP/HTTPS portions of my site which is a bit hard开发者_开发技巧 to explain. Basically, the site is structured so that:

  • Homepage and public content pages are sent via HTTP
  • All pages which require authorization are sent via HTTPS

I'm adding a "Remember Me" feature to the site in which a session key is sent in a secure cookie to the user. This has worked great for the authorized areas (HTTPS) of the site — I can delete the PHP session for the user and it will be recreated by the secure session key cookie when I visit those authorized pages again.

I have a login button on the pages of the site which are sent unencrypted. This login button launches a modal window, and this modal window's contents are transferred via HTTPS. The secure session key cookie is sent in the request for this modal window since it's over a secure connection. If this session key cookie is detected, I need to close the modal window and redirect the parent page to the authorized section of the site.

// this script running on https://somewhere.com/account/ in an iframe
// whose parent is http://somewhere.com/ (non-HTTPS)
<?php if ( $already_authorized ): ?>
    <script type="text/javascript">
        $(document).ready(function redirectParent() {
            parent.jQuery.fancybox.close();
            parent.window.location.href = 'https://somewhere.com/account/';
        });
    </script>
<?php endif ?>

I'm running into problems with cross-domain scripting prevention, though, since the modal window loading from https://somewhere.com/account/ is trying to execute a JS function on its parent window, http://somewhere.com.


So, my dilemma in short form:

  • Unsecured pages contain links to a modal login window, which loads via HTTPS
  • Modal login window can check for session key cookie, since it's sent over a secure connection
  • Modal login window can't tell its parent to close with JS, however, because it was loaded over a different protocol
  • Modal login window can't load via an unsecured connection. This would give JS access to the parent, but then the secure cookie wouldn't be available.

If my question makes enough sense, I'd like to know: is there any way to get around this frustrating problem? Or am I just going to end up making the entire site (both public and private sections) load via HTTPS?


I found a solution! It's probably not the most elegant, but it works and maintains the same level of security as far as I can see.

  • On login, store two cookies.
    1. Secure cookie which contains session key
    2. Unsecured cookie which stores an 'authorized' state: true or false
  • On unsecured pages, check for the unsecured cookie.
    • If the unsecured cookie's value is true, assume the user is authorized and display links to the secure "My Account" page (non-modal).
    • Once the user visits the "My Account" page via HTTPS, the secure cookie is checked. If everything's good, the page is displayed as normal. If the session key is nonexistent or doesn't validate, both cookies are deleted and the user is redirected to the homepage.
  • On secure pages, the process remains the same — a check is run for the secure session key cookie.
  • On logout, invalidate both cookies.
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜