SSL Login Structure
I have a members only celebrity photo and video gallery, for media professionals only. It's setup on a dedicated server and I have recently installed a wildcard SSL certificate.
I have a main public website which advertises our services, hosts the registrations forms and has the secure login form. The login form, when submitted, goes to the same server but to a different account/directory, like so:
From: https://www.mydomain.com/login To: https://subdomain.mydomain.com/login
... and then the login detail get processed.
Does my login page need to be on https:// when they arrive on it, or does my login form need action="https://..." to make it secure? I'm not familiar with how SSL works.
If the landing page that has the login form isn't https, then attacker can deliver wahtever they want, and just rewrite the page to http. SSLStrip is a tool that an attacker can use to perform this attack.
But more importantly, who cares about the login page? Sure it should be protected, but a username and password isn't how the browser authenticates. The browser uses a cookie to authenticate with your web application, this is the real authentication token. It really doesn't mean anything if you login over https and then just spill the authentication token a few seconds later. the entire session must be over https or you will be violation of owasp a9.