Does Google hide search queries with HTTPS? [duplicate] - security

This question already has answers here:
Is HTTP header Referer sent when going to a http page from a https page?
(4 answers)
Closed 8 years ago.
I commonly hear that since Google employs SSL for their search page, it hides your search queries. But the query is also kept in the URL eg.
https://www.google.com/search?q=stackoverflow
and since SSL does not have the capabilities for masking the URL, the query is visible to anyone sniffing the network.
Am I correct that the search queries on Google are not hidden due to SSL?

No, URLs cannot be seen by network sniffers (as long as SSL is being used). They are first translated into IPs by the client then sent through the network, returning the result back to the client. You can see how it works here.

Related

How do websites feasibly allow users profiles to each have their own URL? [duplicate]

This question already has answers here:
Reference: mod_rewrite, URL rewriting and "pretty links" explained
(5 answers)
Facebook Like Custom Profile URL PHP
(1 answer)
Closed 3 years ago.
For example, a profile on facebook is often: facebook.com/user. What does Facebook do on their backend to make this work?
I want to create a similar experience for a site I'm building but I don't want to make every user their own .html page. I need some way to read the URL to determine which experience to serve
They don't serve static pages, instead they forward requests to a web application of some sort, which can handle URLs however it wants. You would also need to do that in order to handle use input, static pages obviously being static they can't handle anything.

Host homepage on a different server than the rest of site [duplicate]

This question already has answers here:
possible to resolve DNS based on URL path
(3 answers)
Closed 5 years ago.
Is it possible to host one page of a website (example.com/index.html) on a different server than the remainder of the site (example.com/blog/ and etc.)? Are there ways to manage this through DNS settings? An .htaccess file?
Thanks!
Short answer is, not really. A DNS entry maps a hostname (example.com) to an IP address. The path part of the url (/index.html) is not part of the hostname, and is only contained inside the http headers.
The general practice for this kind of situation is to use a proxy or load balancer which will send requests to different servers depending on the request path.
If it really needs to go to two different places without a central load balancer, then you probably need a unique subdomain for each site.

send cookies from subdomain [duplicate]

This question already has answers here:
Setting cookies for subdomain
(2 answers)
Closed 7 years ago.
I'm building a web app that uses http only cookie sent by the backend for session data. Now my backend is hosted at xyz.domain.com
My client side is domain.com (note - m not using www.domain.com )
Now when the client receives cookie , the browser doesn't save it. In crome i saw the cookie isn't first party.
After doing a bit of research i figured out to send cookie with domain - .domain.com
Tried that. Didn't work.
How should this be done.
Thank you
You should set domain attribute as your domain:
domain= .domain.com
If you can say which language are you working on and what have you tried so far, people may provide some good examples.

Browser support for "//domain.com" [duplicate]

This question already has answers here:
Closed 11 years ago.
Possible Duplicate:
Is it valid to replace with // in a <script src=“…”>?
Do all browsers support referencing without the leading http: or https:?
For example:
<a href="//example.com/account">
<img src="//example.com/image.gif">
Which should automatically use whatever connection the user currently has (HTTP or HTTPS)
Can I get into trouble if I use this everywhere in my app?
Basically, I want to keep "absolute" URLs consistent, without having to make sure I added https: if the user is on a secure connection (so he doesn't get warnings), and http: when he is not on a secure connection (so assets load faster — no HTTPS handshaking).
If you do not count Internet Explorer as a browser, yes, almost every general browsers supports this.
Now seriously: I didn't try it in IE, but every general browser does support this!

HTTPS login not saving the JSESSIONID in a cookie [closed]

This question is unlikely to help any future visitors; it is only relevant to a small geographic area, a specific moment in time, or an extraordinarily narrow situation that is not generally applicable to the worldwide audience of the internet. For help making this question more broadly applicable, visit the help center.
Closed 10 years ago.
We recently changed our login to use HTTPS, and we are experiencing issues with the login.
After the login, the user is redirected to an unencrypted (HTTP) page. When it reaches this page, the site checks if the user is logged in. It creates a new session and it appears that the user is not logged in, and thus our user is redirected to the login page. If the user logs in again, it will work.
The cookies are not set as https-only, but it seems like they don't work on http pages.
Does anyone know why this might be happening.
Edit:
I should have mentioned that the page that displays the login is on a different URL. (There is a login page from the machine running the tomcat instance, but the marketing site is on a wordpress install and uses a different domain).
I can't use the HTTP request first method to set the cookie, because the default Internet Explorer settings prevent the session cookie from being saved.
We have this problem with our app. We wanted a similar behavior of logging in via https, then redirecting to an http page.
The issue is that when Tomcat creates the session under https, it creates a secure cookie which can't be read in http. Note that this keeps getting filed as a bug in Tomcat and getting marked as "not a bug".
The solution we ended up is based on the message in this forum
http://forum.java.sun.com/thread.jspa?threadID=197150&start=0
Quoting from the forum thread: "One way to maintain the session in Tomcat, when the session cookie is getting created in SSL mode is to trick the browser by creating the non-secure cookie, when the secure cookie is getting created." This is accomplished via a filter that wraps the request and overrides request.getSession(). It's worked very well for us.
As a side note, redirecting from an https to http page will pop up a warning message in some versions of Internet Explorer "You are about to be redirected to a connection that is not secure." The only way we found to avoid this is to have the redirection be done with a meta refresh tag. Specifically, return a blank page from the original https request with a meta tag that refreshes to an http page. This avoids the warning message at the expense of making the code slightly more convoluted.
(I just noticed some of the advice here is a repeat of an earlier answer -- I apologize, but will post anyways since it is from direct experience).
Edit: I see in your comments you have two domains, which complicates the use of cookies. Can you use a proxy or web server such as Apache to present just one domain to the end users?
When using https tomcat establishes the jsessionid through a secure cookie, which cannot be transmitted through a non-secure connection. So when you fall back to http the session is lost.
The workaround (which I haven't done it myself) seems to be establishing the session through a http request before redirecting to https, and then setting a filter in the HttpRequestWrapper to plug into the nonsecure cookie.
I don't know much about this, but here are a couple of references:
http://forums.sun.com/thread.jspa?threadID=197150
http://tp.its.yale.edu/pipermail/cas/2006-March/002356.html
If you've verified the secure-only flag is off, and that the first cookie is being dropped correctly - I would guess that that there may be a path issue which is preventing the cookie from being presented again.

Resources