Question on Login HTTP to HTTPS

[neomorpheus]

I am working on a project that involves securing our login forms. Currently we have a login box on the homepage (not secure). We do have SSL on our whole site, so

http://www.sitename.com

and

https://www.sitename.com

work well. I have tried to submit the login on the homepage to a

https://www.sitename.com/loginsubmit.cfm.

Though it works well, it is my opinion that to be totally secure, the login process needs to happen from a https to https page. So in this case our homepage which is not secure could not have securely transmitted to info the https page. Am I right?

Once I reach the secure page and move to non-secure page, i get an annoying popup- warning me of the impending danger

My question is-

Is there a workaround to make sure that the data is totally encrypted moving from http to https? Is there a way to get rid of the annoying https to http warning popup.

For example-

http://salliemae.com

The login on the homepage is not https. But when submitted, it goes to a https page. Is that really secure?

Thanks for taking the time to read thru this and I hope you can shed some light on this topic for me. Much appreciated. Thanks.

 

[webmigit]

What I do is allow users to surf the site not on a secure connection but they can't login and won't be recognized as logged in unless they're on the secure server.

I view it as better for the server to let the "harmless surfing" be non secure..

Here's some basic code that I use for the login box for instance

<Cfoutput><cfif cgi.server_port_secure eq 0>
    ...connection not secure...
    <A href="[URL unfurl="true"]https://secureserver.com">Click[/URL] here to secure</A>
  <cfelse>
    ...show login box...
</cfif></cfoutput>

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.

 

[neomorpheus]

Thanks for your feedback. I agree with your perspective. My problem lies in the fact that I would like to secure the login process. I want the Login details to be encrypted and secure. Since the requirements involve placing the login box on the homepage (not secure- http), submitting the form to a https submit page really doesnt provide the necessary security. The data from a http page on the way to a https page can still be sniffed on. But some popular website do offer this option and I am not sur eif it is the right thing to do. Additionally, i do not want to make my homepage https.

However, I do have a https login page that visitors are directed to if they plan to login after a bit of surfing. I fake submit to a https page to make the data secure and redirect to the page they wanted to go to. So that part of it is cool. Its the Homepage login that bothers me as I am unable to find any standard procedure for it.

Any thoughts? Thanks for the help.

 

[webmigit]

May require some adaptation..

<Cfoutput><cfif cgi.server_port_secure eq 0>
    <cflocation url="[URL unfurl="true"]https://#cgi.server_name#/#cgi.script_name#?#cgi.query_string#">[/URL]
</cfif></cfoutput>

Cgi.script_name may not ideally output the absolute part of the url.. you may have to run to do it like this..

<Cfoutput><cfif cgi.server_port_secure eq 0>
    <Cfset xurl=cgi.script_name>
    [b]<cfset xurl=listdeleteat(xurl,1,"/")>[/b]
    <cflocation url="[URL unfurl="true"]https://#cgi.server_name#/#cgi.script_name#?#cgi.query_string#">[/URL]
</cfif></cfoutput>

You might have to use the bold line a few times, just copy it and paste it immediately below itself...

ALFII.com

http://www.alfii.com

---------------------
If this post answered or helped to answer your question, please reply with such so that forum members with a similar question will know to use this advice.