eruna — 2011-12-08T08:11:39-05:00 — #1
With a lightbox style login form, is it possible to use ssl when the page isn't or to switch the protocol when the form is triggered? I'm also concerned with triggering browser warnings.
Thank you E.
paul_wilkins — 2011-12-08T17:42:54-05:00 — #2
No, that's not possible. You will be best served by loading up a new ssl page for the login form, or if applicable by using ssl for the whole site.
sdleihssirhc — 2011-12-09T01:52:01-05:00 — #3
You could put the login form on an HTTPS page of its own, and then have an iframe or something in the lightbox. I think you get an error in IE about secure and insecure data on the same page if you do that (possibly other browsers as well), but it works.
paul_wilkins — 2011-12-09T02:59:22-05:00 — #4
Iframing an https page negates the purpose of an https though. It's not easily possible for a user to tell that the login is occuring via https, and it's entirely possible for an attacker to replace the iframe with their own login page.
Do no defeat the security meassures of https by putting it in an iframe.
sdleihssirhc — 2011-12-09T03:58:03-05:00 — #5
I wondered about bringing that up, that embedding HTTPS with iframe seemed to defeat the purpose of using HTTPS... But the real issue is that mixing the two protocols at all defeats the purpose, no matter how it's attained.
So I'll put the question here that I took out of my first post: Why would you want to do that? If you're trying to be secure, why make it less secure?
Paul's (may I call you Paul?) original advice is still the best: