I\'ve never thought it was necessary, but a client has requested that all webpag

Question

I've never thought it was necessary, but a client has requested that all webpages served to logged in users be delivered over HTTPS.

Aside from the implementation standpoint, which I don't think I'm going to pursue is there any real reason for this request ?

For clarity, the login / logout process, account settings, registration preferences and all user related scripts are served over https. but I can't see the point in my news articles, press releases, events etc... being served in this manner? Am I missing something ?

Explanation / Answer

This is basic security. Since HTTP is stateless, even if a user is logged in, the browser still needs to effectively re-authenticate for every single page load (otherwise the server has no way of knowing that this particular user is logged in).

The usual ways to do this are via a special cookie, or by including some token in each rendered page (e.g. as a parameter of all links).

No matter how it's implemented, the key point is: Every time the browser requests a page it will have to send some secret session key or similar.

So unless you serve everything over HTTPS, the session of a logged-in user can be hijacked through a man-in-the-middle attack.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.