HTTPS on all pages where user is logged on

Posted by Tom Gullen on Pro Webmasters See other posts from Pro Webmasters or by Tom Gullen
Published on 2011-11-25T17:37:06Z Indexed on 2011/11/25 18:04 UTC
Read the original article Hit count: 486

Filed under:
|
|

I know this is considered best practise to prevent cookie hijacking. I would like to adopt this approach, but ran across a problem on our forum where the users post images which either aren't posted with URL's over HTTPS or the url itself doesn't support HTTPS. This throws up a lot of ugly browser warnings.

I see I have two options:

  • Disable HTTPS for the forum
  • Force all user posted content to start with // in the url so it selects the right protocol, if it doesn't support HTTPS so be it

Do I have any other options? How do other sites deal with this?

© Pro Webmasters or respective owner

Related posts about security

Related posts about ssl