I have faced a small problem regarding using Http or Https in a web application.I refereed to many queries on stack overflow on similar topics but they did not answer my question adequately so I decided to to post this questions.
Question I am currently working on a java based web application that uses J Boss applications server.Front end is composed of mainly Struts, JavaScript and JQuery. We are currently evaluating a user suggestion to enable HTTPS in the login page and then continue rest of the user session in HTTP.
Furthermore While the user session is in http some reports need to be displayed in HTTPS as well.That means user session will toggle between Http and HTTPS.
Sometime a ago site like Hotmail had this feature but have moved away to offer pure HTTPS on grounds of improved security.
While preserving the user session is it possible (and feasible) to use both HTTPS and Http as an when required only.Would this implementation have improved performance over pure HTTPS implementation? If so are there any standard operations that may be followed to achieve this end ?
According to the general perception HTTPS tends to slow down web application performance.But there is a increasing number of sites that use full HTTPS too. for example Google , GMail.
Hypothetically Would attempting to implement this web application purely in HTTPS have obvious performance issues compared to a pure Http based site ?Are there any methods to improve performance in pure HTTPS sites ?
Resources
HTTP vs. HTTPS: What's the Difference?
Will web browsers cache content over https
What is the best and current way to move to HTTPS on a large website?
Transport Layer Security (TLS)
Tomcat session management - url rewrite and switching from http to https
google translate not showing up when https is used in url
Tomcat, keep session when moving from HTTPS to HTTP - Resource mentioned by Pelit Mamani
Is SPDY any different than http multiplexing over keep alive connections
I haven't tried it with JBoss but rather with Tomcat, however there are a few points which might be relevant. BTW in our case we got it to work but ended up switching to full https anyway.
Points to note:
1) Obvious security implications. Hackers can't steal your password but they can eavesdrop/change the non-secure content exchange.
2) As you noted - care is required with cookies, especially their 'secure' flag. My experience is with Tomcat but it sounds like it might occur with other containers: when loggin in through HTTPS Tomcat reasonably assumes you want a secure session cookie, so session isn't recognized on the non-secure pages. We had to make some tweaks so that the session cookie won't be secure. Tomcat, keep session when moving from HTTPS to HTTP
3) Cross-domain: if your page was loaded through http, and it sends a AJAX request to https (or vice versa) the browser applies cross-domain security limiations, which again requires tweaks such as CORS support.
4) We ended up switching to full https. It had some performance implications on high loads (negligible on services that had other bottlenecks such as database, but it was noticable with services that were pure memory/logic and had dozens of hits per second). However we felt it was time to horizontally scale anyway. We also put some time into tweaking Tomcat connectors & our load balancer, it turned out some configurations worked slightly better with https.