SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    967
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    using ssl on a popup submit

    With a lightbox style login form, is it possible to use ssl when the page isn't or to switch the protocol when the form is triggered? I'm also concerned with triggering browser warnings.

    Thank you E.

  2. #2
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,700
    Mentioned
    101 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by eruna View Post
    With a lightbox style login form, is it possible to use ssl when the page isn't or to switch the protocol when the form is triggered? I'm also concerned with triggering browser warnings.
    No, that's not possible. You will be best served by loading up a new ssl page for the login form, or if applicable by using ssl for the whole site.
    Last edited by paul_wilkins; Dec 9, 2011 at 03:51.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  3. #3
    SitePoint Addict sdleihssirhc's Avatar
    Join Date
    Feb 2009
    Posts
    387
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    You could put the login form on an HTTPS page of its own, and then have an iframe or something in the lightbox. I think you get an error in IE about secure and insecure data on the same page if you do that (possibly other browsers as well), but it works.
    Last edited by sdleihssirhc; Dec 9, 2011 at 00:52. Reason: clarified meaning
    I'm the web overlord for Graphic Business Systems

  4. #4
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,700
    Mentioned
    101 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by sdleihssirhc View Post
    You could put the login form on an HTTPS page of its own, and then have an iframe or something in the lightbox. I think you get an error in IE about secure and insecure data on the same page if you do that (possibly other browsers as well), but it works.
    Iframing an https page negates the purpose of an https though. It's not easily possible for a user to tell that the login is occuring via https, and it's entirely possible for an attacker to replace the iframe with their own login page.

    Do no defeat the security meassures of https by putting it in an iframe.
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  5. #5
    SitePoint Addict sdleihssirhc's Avatar
    Join Date
    Feb 2009
    Posts
    387
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by paul_wilkins View Post
    Iframing an https page negates the purpose of an https though. It's not easily possible for a user to tell that the login is occuring via https, and it's entirely possible for an attacker to replace the iframe with their own login page.
    I wondered about bringing that up, that embedding HTTPS with iframe seemed to defeat the purpose of using HTTPS... But the real issue is that mixing the two protocols at all defeats the purpose, no matter how it's attained.

    So I'll put the question here that I took out of my first post: Why would you want to do that? If you're trying to be secure, why make it less secure?

    Paul's (may I call you Paul?) original advice is still the best:

    Quote Originally Posted by paul_wilkins View Post
    You will be best served by loading up a new ssl page for the login form, or if applicable by using ssl for the whole site.
    Last edited by paul_wilkins; Dec 9, 2011 at 03:52. Reason: fix "if if" from my quote
    I'm the web overlord for Graphic Business Systems


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •