SSL Login Structure

I have a members only celebrity photo and video gallery, for media professionals only. It's setup on a dedicated server and I have recently installed a wildcard SSL certificate.

I have a main public website which advertises our services, hosts the registrations forms and has the secure login form. The login form, when submitted, goes to the same server but to a different account/directory, like so:

From: https://www.mydomain.com/login
To: https://subdomain.mydomain.com/login

... and then the login detail get processed.

Does my login page need to be on https:// when they arrive on it, or does my login form need action="https://..." to make it secure? I'm not familiar with how SSL works.

Answers


If the landing page that has the login form isn't https, then attacker can deliver wahtever they want, and just rewrite the page to http. SSLStrip is a tool that an attacker can use to perform this attack.

But more importantly, who cares about the login page? Sure it should be protected, but a username and password isn't how the browser authenticates. The browser uses a cookie to authenticate with your web application, this is the real authentication token. It really doesn't mean anything if you login over https and then just spill the authentication token a few seconds later. the entire session must be over https or you will be violation of owasp a9.


Need Your Help

best method for getting image ID from Instagram

php image api xpath instagram

I am writing an app that gets analytical data from Instagram though it requires the submission of the of the image ID.

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.