https during login page, then change to http

Hi Tin,

 

On what condition do you want to go back to http? After a successful login? If so why can't the application simply redirect you back to the HTTP after a successful login? I.E if you want the F5 to do this then the website would need to pass back some kind of validated token so the F5 can send a redirect back HTTP.

 

 

Bhattman

This can either be quite simple or very complicated, depending on the app. See this post for details:

 

 

Mixed noSSL/SSL site - redirect problems

 

http://devcentral.f5.com/Default.aspx?tabid=53&view=topic&postid=1167723&ptarget=1167856

 

 

As Bhattman suggests, if it's possible to change the app, it would be much simpler.

 

 

Aaron

Just a quick question, and my 5p worth (With the state of the pound it's gone up from the usual 2p)... If the security of the site is such that you need to authenticate with SSL, why is non-SSL traffic OK afterwards?

 

 

HTTP is just too easy to hijak... No matter what you do, any access after you switch to HTTP can only be considered to be suspect... And if you share the authentication cookie (Assuming you're using cookies) between SSL and non-SSL your SSL is now suspect too.

 

 

(In fact I can think of exactly ONE instance where it would be useful. To customise the look of a page by user... But only if SSL & non-SSL authentication information isn't shared, the data is non-sensitive and the HTTP portion is read-only).

 

 

H