I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.

It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.

Is there a way I can make the pop up login form secure without making the whole site https?

I have a login form that is hidden on every page and shows itself onClick when needed instead of setting off a new page request.

It has been brought to my attention that in order for a login to really be secure the form action should point to a https page but also the login form itself should be on a https page.

Is there a way I can make the pop up login form secure without making the whole site https?

• php
• javascript
• jquery
• security
• https

Share Improve this question Follow asked Jan 17, 2012 at 0:01 chrischris 2,95144 gold badges4343 silver badges4848 bronze badges 1

• I think it is possible. You could try using a javascript function that opens a login popup with a HTTPS address. – auroranil Commented Jan 17, 2012 at 0:25

Add a ment  | 

3 Answers 3

Sorted by: Reset to default 4

Using an AJAX pop-up (or an iframe) that goes (in theory) to https:// on an http:// page presents two problems:

1. An attacker could intercept the page and replace the link with his own.
2. This prevents the user from checking to which site it's connected to.

The 1st problem is related to this question (not specific to AJAX pop-ups, but for having the login page over plain HTTP, also discussed on Security.SE). This goes against this OWASP remendation:

The login page and all subsequent authenticated pages must be exclusively accessed over TLS. The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.

Essentially, a MITM could modify the page you use to server that login box to replace it with their own: the user wouldn't be able to notice the difference (at least until it's too late).

The 2nd problem is that it's actually a good thing to see you have connected (and also about to connect for the next step) to the website you want in the address bar. Anyone can have a valid https:// site: mybank.example. and attackers.example. could both have a valid certificate issued by a trusted authority. If I connect to my bank, I want to know it's to my bank I'm connected over HTTPS. Sending credentials to a https:// site from a popup or an iframe hides the real target website.

This problem can also happen when the initial page is served over HTTPS, as unfortunately demonstrated by the 3-D Secure system (these people should know better, really!).

In short, don't use an iframe or a popup, and do serve the page where you present the login form over HTTPS.

Short of wrapping the entire site in a SSL protocol, the only other option for this would be to have the Pop-up form be an IFRAME that points to another page with the form that resides on an HTTPS connection.

If initial request is being served by HTTP and you are using same channel to provide "HTTPS" links/forms etc, attacker will simply change that HTTPS to HTTP.

This has been demonstrated by Firesheep

What you can do is to serve HTTPS form over HTTP but enable HTTP Strict Transport Security

Of course, I am assuming you are going to have link like https://login.site. which will be served by http://www.site. ... this way you have to create SSL certificate only for sub-site/ one virtual host