Its possible to secure Jquery ui dialog with https when the rest of the page in http?
The Case: UI JQuery Dialog should contain credit data of customer, when the rest of the page is product catalog in http.
Question: Its possible to secure Jquery ui dialog with https when the rest of the page in http? or all the page have to be https and not o开发者_如何学JAVAnly dialog?
(What I know that dialog is part of the page because that its cant be secure, but my boss say i wrong).
Thanks
The answer is without a doubt NO. If you don't protect the entire session with HTTPS then an attacker will obtain the session id and use that instead of username/password.
What you are describing is a clear violation of The OWASP top 10: Broken Authentication and Session Management.
The "page" doesn't need to be HTTPS. Only the connection that is grabbing the info (as long as that data doesn't persist on the non-secure page to another non-secure page).
Security like this works on a transaction basis.
Once you load your page non-securely (HTTP) you can load up the secure content as long as your ajax is hitting a secure url (HTTPS).
Beyond that there are definitely other security concerns when dealing with secure user data, but as long as the call that is grabbing that data is done over an HTTPS connection, then you are good.
Another example of this is if you made a form taking users' information. The page containing the form doesn't need to be delivered via HTTPS, you only need HTTPS when the user is submitting that data to your app for processing. Don't thing of the "page" as being secured by HTTPS, just the "transaction".
EDIT:
Rereading your question, I think I may have made an assumption. IF you are grabbing this secure data after your page loads, and you do so using ajax over an HTTPS connection you are good.
But in your question you don't mention using ajax. If you are grabbing all data and sending it to the user all at once, and then just hiding/displaying it on the page then YES, that page needs to be HTTPS. You are still transferring secure data over an non-secure connection even if the end page is 'hiding' it.
精彩评论