如何从 HTTPS 重定向到 HTTP,而不出现烦人的错误消息

发布于 2024-07-14 23:12:28 字数 542 浏览 10 评论 0 原文

我想在 HTTPS 登录后将用户重定向到网站上的 HTTP 页面。 对整个站点使用 HTTPS 是不可能的。

到目前为止我所拥有的内容如下:

  1. 用户将登录表单发布到安全站点
    • 安全服务器验证凭据
    • 安全服务器向客户端发送 302 重定向

这可行,但在我的 IE6 机器上,用户会收到错误消息,因为默认设置是在退出安全页面时发出警告。 这些错误对我来说是可用性杀手,因此也是一个阻碍。 我更改了它,以便第 3 步是

  • 服务器发送带有元刷新的 html 代码,

但这非常慢; 即使在我的本地计算机上,它也明显比 302 重定向慢。

有没有更好的方法来实现对人们使用的标准设置进行无麻烦重定向的目标? IE6 占我们流量的 20%-25%。 另外,有谁知道哪些浏览器会警告哪些浏览器不会对 302 重定向发出警告? 我正在考虑将 IE6 列入黑名单,这样只有它才能获得缓慢的元刷新,而其他人都可以获得快速的 302。

I want to redirect users, after HTTPS login, to the HTTP pages on the site. Using HTTPS for the whole site is not going to happen.

What I have so far is the following:

  1. User posts the login form to the secure site
    • The secure server validates the credentials
    • The secure server sends a 302 redirect to the client

This works, except on my machine in IE6 the user gets an error message because the default is to warn when exiting a secure page. These errors are a usability killer for me and thus a showstopper. I changed it so that step 3 is

  • Server sends html code with a meta refresh

But this is very slow; even on my local machine it's noticeably slower than doing the 302 redirect.

Is there a better way to accomplish the goal of a hassle-free redirection on standard settings that people use? IE6 represents 20%-25% of our traffic. Also, does anyone have any good info about which browsers will warn and which won't warn for the 302 redirect? I am considering black-listing IE6 so that only it gets the slow meta refresh and everyone else gets the fast 302.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

箜明 2024-07-21 23:12:28

恢复一个旧主题,但要使其完整,发布以下内容,以便其他开发人员可以选择实现

方式 在 https 之间移动到 http 而不出现警告消息的一种方法是使用 javascript 进行客户端重定向。

步骤

  1. 用户在 https 表单上输入登录详细信息,然后单击登录按钮
  2. 登录按钮将发回 https 表单进行登录验证(假设登录正确)将重定向到也在 https 下的保留页面并显示消息(请稍候该网站重定向您)
  3. 此保留页面执行 JavaScript 重定向到 http 页面,

不会显示浏览器警告消息

HTH

Reviving an old topic , but to make it compelete posting the following so other devs can have a choice of implementation

One way of moving bettween https to http without a warning message is to use client redirect using javascript.

Steps

  1. User enters login details on a https form and click on login button
  2. login button will post back to https form for login validation ( assuming login is correct) will redirect to a holding page which is also under https and displays the message ( please wait while the site redirects you)
  3. This holding page does a javascript redirect to the http page

no browser warning message will be displayed

HTH

潇烟暮雨 2024-07-21 23:12:28

我正在考虑将 IE6 列入黑名单,这样只有它才能获得缓慢的元刷新,而其他人都可以获得快速的 302。

我会做类似的事情。 还在正文中包含一个纯 HTML 链接以方便访问。

请注意,其他一些浏览器确实会给出有关离开 HTTPS 站点的类似警告,但在它们的情况下,它会附带一个(通常预先勾选的)“不要再问我”按钮。 因此,当他们访问您的网站时,他们几乎肯定会告诉该警告消失。 这并不会让警告变得毫无意义,但至少缓解了问题。

  • 安全服务器向客户端发送 302 重定向
  • 您不应使用 302 重定向来响应 POST。 理论上,认真对待 HTTP RFC 的浏览器可能会通过将表单重新 POST 到新 URL 来对此做出响应。 (具有讽刺意味的是,这将使 IE6 关于信息“被重新传输到不安全站点”的警告减少误导性。)而是使用“303 查看其他”。

    I am considering black-listing IE6 so that only it gets the slow meta refresh and everyone else gets the fast 302.

    I would do something like that. Also include a plain HTML link in the body for accessibility.

    Note that some other browsers do give a similar warning about leaving an HTTPS site, but in their case it is accompanied by a (generally pre-ticked) “don't ask me again” button. So by the time they get to your site they will almost certainly have told that warning to disappear. This doesn't make the warning less pointless, but at least it alleviates the problem.

    1. The secure server sends a 302 redirect to the client

    You shouldn't 302 in response to POST. A theoretical browser that took the HTTP RFC seriously might respond to that by re-POSTing the form to the new URL. (Which, ironically, would make IE6's warning about information “being retransmitted to a nonsecure site” less misleading.) Instead use “303 See other”.

    萝莉病 2024-07-21 23:12:28

    我不认为还有其他办法。 该错误消息是为了用户的利益,现在也出现在 IE 7 和 Firefox 3 中。 据我所知,防止这种情况发生的唯一方法是将您的网站添加为浏览器中受信任的网站。

    更新:哦,所以这不是混合内容错误。 我知道你指的是哪一个,但我仍然认为你无法禁用该错误。 一般来说,安全错误是为了用户的利益,保护他们免受潜在危险网站的侵害,因此,不能由(潜在不安全)网站本身禁用。

    I don't think there's any other way. That error message is for the user's benefit, and is present in IE 7 and Firefox 3 now as well. The only way that I know of to prevent it is to add your site as trusted within the browser.

    Update: Oh, so it's not the mixed content error. I know which one you mean, though I still don't think you can disable the error. Generally, security errors are for the users benefit to protect them from potentially dangerous sites, and as such, cannot be disable by the (potentially unsafe) website itself.

    ~没有更多了~
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文