开发者

SSL login and registration over JSONP

I would like to keep my site's login & registration secured over SSL. Instead of redirecting users to a dedicated SSL page, I'd like to have the site's login & registration forms appear in an overlay, so that no page refresh is needed after login.

I haven't seen any larger sites us开发者_如何学运维e this method. Sites like Youtube, Delicious and FriendFeed redirect users to a dedicated SSL page. Facebook does a form post from http to https. And other sites like Digg and reddit just skip using SSL altogether.

Is there a reason why no one is using SSL over JSONP for user authentication? I'm not storing sensitive data like personal info or any e-commerce related info. But I would like to secure email addresses and passwords.


There really isn't much point in using HTTPS for only the login because you are still violating OWASP A9. An attacker can still use an application like FireSheep to hijack the session id. Service that care about security such as gmail and gihub, soon to be facebook and twitter use HTTPS for the life of the session.

In terms of JSONP, make sure the client's request is HTTPS and further more make sure the proxied request is also HTTPS, although this is not as vital as the first hop. As always don't forget about CSRF and JSONP.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜