joined:Mar 29, 2006
Have a potential silly/embarassing question, but it's late and I need a slap of reality right now.
Have a site I am working on that currently uses a pop-up style login method. Essentially, anywhere on the site the user can click 'login' ala Digg, etc and a dialog pops up that asks for user/pass.
Now, the problem with this is that the dialog contents will be the same protocol as the page that calls it, in that when the dialog is called from a non-secure page, the contents also are non-secure. The form then submits username/password to a secured via https script that processes the data and send them back out to wherever they were when they clicked login.
So I am having trouble getting my head around this for some reason... as it looks like lots of services, such as Facebook, Digg, etc send user/pass combos from non-secure input forms to secure authentication scripts... would the data not be exposed on it's way to the secure script, as we are just negotiating a secure connection? Wouldn't you want to have the input form secured as well, or am I missing something? And if you DO want the form itself secured, any ideas as to why Facebook, etc doing it the way they are? I only ask that last question, as it will be very tough to get away from the current method I am working on, and if a solution/workaround exists, I may need to employ it.
Sorry for the ramble, thanks for any help!