Forum Discussion
Kevin_Stewart
Jul 26, 2016Employee
To add to ekaleido's comments, this is the absolute worst thing you can do. At the very least you're breaking rule 2 in the OWASP Top 10: Broken Authentication and Session Management: https://www.owasp.org/index.php/Top_10_2013-Top_10, not to mention putting an easy target on your head for several other vulnerabilities, including XSS and XSRF.
It's probably fair to say that your application, once authenticated, will pass a token to the user, or in some other way maintain a session, and that data will be exposed in cleartext traffic after switching back to HTTP. Please don't do this. Industry best practice suggests that if you have anything on your site worth protecting, you should protect the whole thing.