This repository has been archived by the owner on Mar 4, 2020. It is now read-only.
Prevent retrograding secure to plaintext #6
Comments
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
We had an issue a few years back when setting up tentative HTTPS, in that our login page would be served over HTTPS but the subsequent navigation could go on over plaintext with the same cookie. We locked all links to HTTPS for these sessions, but there was no HSTS back then and nothing prevented the user to click an outdated link (or just going back a few pages), where they expected their session to continue.
This kind of errors could be prevented by the browser refusing to retrograde a cookie to plaintext once it has been updated over HTTPS.
The text was updated successfully, but these errors were encountered: