Secure cookies on insecure page

Forum Moderators: open

Message Too Old, No Replies

Secure cookies on insecure page

csdude55

2:51 am on Jan 20, 2017 (gmt 0)

I know this seems like remedial stuff, but I haven't had to deal with this in years!

Thanks to Google forcing my sites to move all pages to secure, I'm having to modify some things. One of the issues is that when my users log in, I haven't specified a domain, I just set name, value, and expires. So right now, I'm beta testing on a secure subdomain (https://beta.example.com), and those cookies aren't readable.

So two questions:

1. How do I set the cookie on the insecure page so that it can be read on the secure subdomain, and then later the secure domain (without the subdomain)? IIRC, I can set it for the subdomain by using domain=.example.com, but that wouldn't be readable on the secure domain. And also, I don't think I can use use domain=.example.com; Secure on an insecure page, can I?

2. Is there any way to check for the proper cookie directives on the insecure domain (without subdomain), and if it doesn't have them then I can reset the cookie?

keyplyr

3:39 am on Jan 20, 2017 (gmt 0)

How do I set the cookie on the insecure page

Very gently :)

Can't you just make the entire domain HTTPS? That would be the best way. Using Non-secure directories that share cookies with secure directories can be troublesome, as you've found out.

Secure cookies can only be sent over HTTPS (SSL). Non-Secure cookies can be sent over HTTPS or regular HTTP.

source: hackguide4u.com/2010/10/cookie-structuresecure-vs-non.html

csdude55

4:03 am on Jan 20, 2017 (gmt 0)

That's what I'm doing, moving everything over to HTTPS. But I know that a lot of my users aren't going to remember their usernames, so when they come to the "moved" site and see that they're logged out then they'll either abandon the site or ask for help (which, I'm talking about 120,000 weekly visitors, so that's a LOT of customer service!).

So what I'd rather do is, on the current insecure pages, go ahead and change the cookie to work on secure pages if I can. Then when I move everything over, most of them will be corrected.

If I'm reading correctly, though, then the cookie I set without a domain specified should be readable on the secure domain, anyway? So if that's the case, then the new subdomain is my only issue, and adding domain=.example.com should fix it?

keyplyr

4:52 am on Jan 20, 2017 (gmt 0)

Theoretically