Meaningless Drivel is fun!*
The moose likes Security and the fly likes How to go from secure to insecure page without popup warning from browser? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Engineering » Security
Bookmark "How to go from secure to insecure page without popup warning from browser?" Watch "How to go from secure to insecure page without popup warning from browser?" New topic
Author

How to go from secure to insecure page without popup warning from browser?

joseph lam
Greenhorn

Joined: Oct 10, 2003
Posts: 18
Hi,

This might be a very basic question to lots of you - but how does one build a web page that "potentially" has a link to a "normal/insecure" page, e.g., when a user has completed a checkout sequence, there is a normal link for the user to go back to the insecure home page - however, that makes the page insecure, i.e., without the lock. So once a user jump into a sequence of secure pages, how does he/she walks out of it without having the browser complained about "This page contains both secure and insecure items..."?

So how can we make the last secure page in the sequence able to go back out to the insecure world without making itself insecure (i.e., not all links are https)?

(guess i can buy something from amazon and look at their source but I was hoping that someone know this right away...)

Thanks!
joseph lam
Greenhorn

Joined: Oct 10, 2003
Posts: 18
Would form action work?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41089
    
  44
As long as the page is loaded through HTTPS the lock should still be there, no matter whether the links on that page are HTTP or HTTPS. If an HTTP link is clicked the browser may show the dialog about leaving a secure page, but not the one about the page having insecure elements.


Ping & DNS - my free Android networking tools app
joseph lam
Greenhorn

Joined: Oct 10, 2003
Posts: 18
My experience is that the browser won't "endorse" a page with the lock if the page has regular http links(**) - at least for the latest browser that I am using - IE or firefox.

Does anyone know whether that's a new browser feature?

Hm...I wonder if it's actually the web server who (when returning the encrypted page) is the one to inspect the links and report that "partial secure" status back to the browser instead. I don't really know the full rules regarding this, e.g., if (**) is true, would there still be encryption carried out? (I suspect yes, since it's done at a lower network/socket layer, i think, regardless of the application content, our web page in this case.)

Any feedback is greatly appreciated!
joseph lam
Greenhorn

Joined: Oct 10, 2003
Posts: 18
btw, I am sure "embedding" the insecure links inside servlets or "ActionForward" of struts via html form or struts form would work. But I am wondering about the case for plain html or php (ouch...it's a java forum) code.

Actually, even that, would the browser complain about the leaving of secure area upon the form submission?
Ulf Dittmer
Marshal

Joined: Mar 22, 2005
Posts: 41089
    
  44
No, that's a browser-only thing. The server has no say in whether it's considered secure or not.
joseph lam
Greenhorn

Joined: Oct 10, 2003
Posts: 18
So to get back on the main question: With these newer browsers, How could we preserve the lock at the last secured page, before leaving the secure area then?
 
With a little knowledge, a cast iron skillet is non-stick and lasts a lifetime.
 
subject: How to go from secure to insecure page without popup warning from browser?
 
Similar Threads
Internet Explorer expires session when sent from secure to non secure page
upon click of back button, go to logout page
How do I get to user response.redirect from Struts?
How can I get correct backto page?
Redirection Problem