Is it possible to force http in an ssl enabled website?

426    Asked by arun_3288 in Cyber Security , Asked on Sep 23, 2022

I was doing a security research on storing the session id in local storage instead of storing it in cookies. I understand that it is not possible to tag the values in local storage as HttpOnly and so it may be vulnerable to XSS attacks. Since all the inputs are properly validated I am free from this issue.

But the other issue I found is the tampering of data while transferring to the server. Since my local storage session ID cannot be tagged under Secure, it is possible that it can be transmitted through an un-encrypted channel (HTTP). To mitigate this, I want to know if it is possible to access a page via HTTP which is secured with SSL.

Answered by Audrey Berry

A page which is secured with SSL (or TLS for that matter) cannot be accessed via force HTTP, as that would mean that the page is not secure anymore.

If I rephrase the question: Is it possible to access a particular page of a HTTPS secured website via HTTP, then I would say that is possible, but very INsecure. Moreover, the cookie with the session ID will probably have to be sent along with every page request, as you need to track the session across several pages. That would imply that you need to serve almost every page over HTTP, which thus renders your site insecure.

In case you need the session cookie on only one page, you could tell the client to carry out a HTTP request to that one page, which will then send along all cookies that don't have the 'secure' flag set. However, this means that all these cookies are vulnerable to a MITM attack, and can be read by anyone listening in on your communication.

My advice: do not ever consciously serve a page of a HTTPS site over HTTP.

So, the question you need to ask yourself is why can't my session ID be tagged secure only. Is it laziness, or is there another reason why you cant tag this cookie as being secure?

By the way, to force a browser to always use HTTPS for a website (and not rely on 302 redirects to visit the HTTPS version), HTTP Strict Transport Security can be used. Please refer to OWASP for more information.

Your Answer


Parent Categories