3

I have a user login/reg system with a user management admin area.

Just some background:

Currently the login is all 'ajaxy' so the user clicks login and the loading gif swirls around while in the background the details are checked, sessions created.

If all goes well the client side javascript refreshes the page to the correct location.

the questions

Now if I wanted to use SSL, what do I do?

    1. The "ajax" call - I need to secure this - do I do this by making the call to https - is that enough?


    1. Should the redirect after login also go to https

(the site owner should already have a SSL certificate etc)

Thanks

KB.
  • 3,549
  • 4
  • 23
  • 29
  • possible duplicate of [Secure popup login possible?](http://stackoverflow.com/questions/8888003/secure-popup-login-possible) – Bruno Mar 21 '12 at 11:36

2 Answers2

4

Everything needs to go through SSL.

  1. If the page is HTTP and the Ajax goes to HTTPS then you'll bounce off the same origin policy
  2. If the conditions are as above but you use CORS to work around the policy then a man-in-the-middle attack could alter the page the request is made from and add (for example) extra JS to steal the credentials from the page (instead of from the HTTP request)
  3. If you redirect to HTTP once the user is logged in, then you are vulnerable to the Firesheep problem

So display the login page via SSL, and once the user is logged in, keep using SSL.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • If the login page is displayed via SSL - will the ajax call automatically assume https or should I code that in? – KB. Mar 21 '12 at 21:08
  • Anything involving Ajax requires that a URL be entered somewhere. Absolute URLs work like any other absolute URL. Relative URLs work like any other relative URLs. – Quentin Mar 21 '12 at 21:11
  • Wouldn't using SSL over an entire site create a tremendous amount of overhead? – Nate Apr 01 '15 at 20:51
  • @Nate — Not any more. The computers we use this century are more than capable of handling the CPU hit that encryption requires. – Quentin Apr 01 '15 at 21:21
  • @Quentin So why don't most sites force SSL? StackOverflow doesn't. Also, interestingly, my CDN charges significantly more if I use SSL (even with their shared certificate) instead of plain HTTP requests. – Nate Apr 01 '15 at 21:38
  • @Nate — It takes effort and there's still a lot of traction for the old idea that it was hideously expensive. – Quentin Apr 01 '15 at 22:28
2

Everything that's sent over an SSL connection is encrypted, so yes; making your AJAX calls use SSL will be enough. In practice, you will also need to have the page that's issuing the AJAX calls use SSL to avoid origin policy problems.

Whether you redirect to a relative or absolute path doesn't matter security-wise, it's only a matter of taste.

Assuming you don't want the user's cookie or other actions to get sniffed, then yes, after the user has logged in, all the following communication should also be using SSL. HTTPS doesn't cause much overheat, so there's generally no reason to not use it if it's available to you.

kba
  • 19,333
  • 5
  • 62
  • 89