Share dom storage between http and https
I would like a method of storing information on the client that can be accessed by both the SSL and nonSSL version of my site. localStorage is a great mechanism but it can only be accessed by the current protocol.
I'd like to be able to store a piece of information via javascript on the non-ssl(http) portion of my site and access it on the SSL (https) portion of my site.
Does anyone know of a good way to share stored client-side information between ssl and non-ssl pages?
I know I can always default to a cookie.. but I hate the idea of having to send the cookie back and forth for every single request.
Answer
Compiled from the comments leading to this answer; I welcome @jeremyisawesome to edit in his final techniques:
Fist choice: Use SSL, across everything. Many users want that, and it is (with the exception of the somewhat higher resource use) a superior option in nearly every way. Also it is the trivial solution.
Sadly, "Because Management" is often a valid reason, and while you can try selling it on the "extra security never hurt anyone" point or whatever, a real solution would be preferred.
I propose the following: duplicate the DOM storage, and use a combination of cookie (with minimal data), AJAX, and a hash function to check if the DOM store needs to be updated. The exact implementation details depend on how much data you have, how frequently it changes, and how frequently users switch sides, but the basic idea is something like this:
- save data to DOM, along with its hash.
- send hash in cookie instead of full data.
- JS checks that cookie hash and DOM data match.
- If DOM is determined to be out of date, use AJAX to acquire new data for DOM, and update it asynchronously.
Switching between HTTP and HTTPS pages with secure session-cookie -- there are a number of vulnerabilities discussed with switching, but there's some useful stuff there.