I'm currently working on a website which consists of two parts:
- the non-secure, browsing part
- the secure part, for placing orders, managing user account, ....
Now, the big issue here is, is that the secure part is on a different domain.
This is quite important, and I'll elaborate further in a minute.
In the past we used to use session and user cookies, for authentication, but since a lot of customers complained about the cookies not working (it was always their side that had the error
But, now, I've been asked to give the customers the option to remain logged in permanently because our frequent visitors do not want to log on each time they close and reopen their browser window. In order to do this, I place a user cookie with an md5 hash.
And now we finally come to the problem, when a person arrives at the log on window, he will be on the SSL domain. If the log on is succesful, the cookie is set for that domain.
If that person then continues browsing, he'll eventually end up back on the non-secure domain, at which point, I will set the cookie there as well.
However, should that person not return to the non-secure part of the website and close his browserwindow after logging on, the cookie will only be available for the SSL domain. When the user then reopens the website, he will start again on the non-secure domain, but since the cookie was never set there, he is not logged on even though he said he wanted to remain logged on permanently. This will of course create massive confusion among our customers.
I can only think of two options, but I do not like either of them.
1) after logging on, redirect the users to the non-secure domain, set the cookie and immediately redirect them back to the secure domain. (so this would be invisible to them)
I do not like this because:
- the server load will increase significantly
- malicious users might be able to use this redirecting to create a loop and bring down our servers.
2) log the person on, on the non-secure part of the website, place the cookie and only then redirect them to the secure domain where at that point the cookie will also be set.
I do not like this because:
- the username/password will be sent unencrypted and can easily be sniffed out, so it kinda destroys the whole concept of having a secure logon procedure.
So, as you can see, I have not yet found a solution to this problem, so therefore I turn to you guys
Perhaps someone has any ideas? I have done a great deal of reading about 'hacking' cookies to different domains (using 1x1 pxl images and what not), but as I understand it, these are considered third-party cookies and most browsers disable these by default nowdays. So this doesn't seem like a solution to me either.
Any input would be greatly appreciated.