Transfer login from https to http

Question

I would like to secure logins by redirecting users to https://secure.domain.com/login then on a successful login, redirect them back to a plain http website bringing the session with them. Is this secure? Should I just buy a multi-domain plan so it secures sub domains and the parent domain? I'm puzzled.

TL;DR - Is transferring a login session from HTTPS to HTTP secure?

possible duplicate of [PHP session HTTP to HTTPS problem](http://stackoverflow.com/questions/5921545/php-session-http-to-https-problem) — Black Sheep, Jul 26 '14 at 13:33
Read the answer from there - And if you want to login in https and you go back to http, so for me it's the same — Black Sheep, Jul 26 '14 at 13:52

score 1 · Accepted Answer · edited Apr 13 '17 at 12:48

Is transferring a login session from HTTPS to HTTP secure?

No.

You have two dataflows. One is the {username, password} to the server used for authentication. The second is the token or cookie returned to the client (and the client sending it to the server on subsequent requests).

The first dataflow is protected by HTTPS, and its OK (some hand waiving).

The subsequent dataflows utilize HTTP, so anyone who is in position can read and subsequently use the token or cookie.

Its also bad to mix and match HTTP/HTTPS due to downgrade attacks (or makes matters worse). See for example, Why is TLS susceptible to protocol downgrade attacks?.

Thanks, so I guess I'm going to add some protection on the parent domain as well. — davidxd33, Jul 26 '14 at 16:18

Transfer login from https to http

1 Answers1