Scenario:
To handle my case, I set the Cookie's domain attribute to ".healthline.com". This makes the cookie to be usable at non-secure website.
Security is always a concern and online users don't want to enter any sensitive information which can be easily stolen. To avoid such a case, web request/response transfer can be handled through SSL. But https connections comes with a price (makes request/response slower).
So a hybrid approach is to use secure connection while transferring any sensitive user information and rest of the time use non secure connection. Obviously user log-in is sensitive information and we want the data transfered during user log-in to be secure.
At my company we have a secure connection setup at different host. So situation is not only switch between secure and non-secure connection, but also move from one host to another during log-in.
Solution Adopted:
User is on a page and signs into our website. The sign-in submit takes the user login processing to our secure host. On successful authentication, a cookie is dropped which can be used for any subsequent non-secure requests.
Thing to note about this cookie.
Cookies by default are set to default domain. i.e. A cookie with default domain means it is only usable at that domain ( in our case, secure.healthline.com).
To handle my case, I set the Cookie's domain attribute to ".healthline.com". This makes the cookie to be usable at non-secure website.
No comments:
Post a Comment