Hi, I got a pretty tough question here (at least tough to me) My web application uses a mixture of http- and https-served pages. The user can log securely with https, and view her "profile" within a secured page as well. Here's my problem: as you know, forms authentication sets a cookie on the client to "remember" who the user is. However, being logged-in (with the cookie still alive), the user can browse to any of the http pages within the application, for example the home page. Doing so, the request for http://www.omniscienttrader.com/default.aspx will send, along with the request, my authentication cookie, **all that in plain, clear http**
Could a talented hacker hijack the cookie during that request, and then access the https pages, thus steeling the identity of my poor user? I think so... With that in mind, is that a bad design to allow switching from http to https and vice-versa inside a single web application?? Thank you very much!! David. David Lacerte Chief Knowledge Officer Omniscient Technology Inc =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
