On Fri, May 23, 2014 at 2:53 AM, stephanos <[email protected]>
 wrote:

> Well, this can't be! How are others solving this?
>

On Wed, Apr 30, 2014 at 3:09 AM, Vinny P <[email protected]> wrote:

> I don't believe there's a way to do that.
> If you want a workaround, you could try hosting a HTTPS version of your
> site on one subdomain, and the regular HTTP version on another subdomain.
> Mark the cookie as only available on a single subdomain.
>



There are a couple of ways to solve this. The easiest would be to make your
site available through HTTPS only - detect if the user is using an
unencrypted connection, and if so, redirect to the HTTPS equivalent URL.
Forcing HTTPS everywhere isn't too much of a burden - a Gmail engineer
wrote that SSL accounts for less than 1% of CPU load and less than 2% of
network 
overhead<https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html>
.

Another way - as I noted above - is to use unencrypted connections on one
subdomain and force HTTPS if using a site through a separate subdomain.
Reddit does this: most connections on reddit are unencrypted, try this link
and inspect in the console: http://www.reddit.com/r/google

But if you use the pay.reddit.com subdomain, all communications are forced
to be encrypted. Inspect this page in your console:
https://pay.reddit.com/r/google . If you try and visit
pay.reddit.comwithout using HTTPS, you'll get an error message:
http://imgur.com/9K81FoB

Another alternative is to set up nginx or another server as a reverse
proxy, and configure it to rewrite cookies with respect to secure/unsecure
connections. This option is difficult to configure though.


-----------------
-Vinny P
Technology & Media Advisor
Chicago, IL

App Engine Code Samples: http://www.learntogoogleit.com

-- 
You received this message because you are subscribed to the Google Groups 
"Google App Engine" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/google-appengine.
For more options, visit https://groups.google.com/d/optout.

Reply via email to