How to solve this problem due to secure page?

My website needs a secure login form to protect username/password but then uses images from other domains (which can't be locally hosted as they vary based on the user's account). This causes either security alerts or missing images depending on the browser.

I see 2 possible solutions but don't know how to do either:

1. Somehow have my server get the image in real time from the other domain and transfer it through it's own secure connection so they come through my own secure connection

2. Have the login page redirect to a non secure page so that the images from the other domain load, but cookies made during login on the secure connection cannot be read by the same page on the non secure connection

I think solution 1 would be best, what do you think? And how would I get the images to be read by my server and then load as if they were on my own server so that they load error free?

Thanks

 

2 is achieved by setting the Secure attribute on the cookie to false but make sure you dont undermine the whole purpose of doing the log in under SSL

1 is easy enough to do with setting the response.contenttype to image/jpeg (or as appropriate) and streaming the file through but as its done on the fly and under an SSL you may have speed issues.

I dont understand why you cannot host the images locally though?

 

I found how to get my server to download the image and then resend it as a Response.BinaryWrite which works but as you say is very slow.

How do I set the cookie secure attribute to false and what if I want to access this cookie on secure pages also? Would I set the cookie twice both secure and non secure? Can both have the same name?

I can't host the images locally because users add ebay items they want to their account on my site and it's the ebay item images I display in their account next to the items.

 

You set the cookie once whilst under SSL but by setting the secure to false it will (or at least should as there can be some quirks) allow it to be accessed irrespective of if its under the SSL or not.

If that is the case with the items why not retrieve the items photos and store them locally when they add the item thus allowing it to be used locally every subsequent time the item is displayed (making some assumptions as to what your site is doing)

 

I might look stupid by asking this question, but then to understand the problem, I choose to ask.

A login process is how you identify the user. Why/How would your login page have user specific images?

In a website that I manage, here is what we do.
1. Login page has a redirect as the first set of code to check if the request was is HTTP or HTTPs if it is NOT https, we redirect the user to the respective HTTPs (just by adding https to the url and redirecting).
2. Credentials provided by the user on the login screen is validated once successful is redirected to HTTP (non secure welcome.aspx page).

Meanwhile, a set of cookie is created for session tracking. At first the cookie is created from HTTPs page and thus we make it secure cookie
Later if the redirection from HTTPs to non secure page happens, they are converted into unsecure cookies and the redirect happens

Upon login some users have chosen to continue on HTTPS, in such a case, the secure cookie remains and it works.

Hope this is of some help to you! If not pls reply with your thoughts

 

The login page doesn't have user specific images, the images are in the user account after they login. When I said "...but then uses images..." I meant after login in and being in the user account.

So I tried setting the cookie secure attribute to false but ran into another problem, my secure connections are done on secure.mysite.com so if I then redirect to the nonsecure mysite.com the cookies are not accessible.

Is there a way I can make the secure login set the cookies to be accessible both on my secure secure.mysite.com and non secure mysite.com?

 

Then also set the domain on the cookie to the mysite.com and so it should be accessable by each of your subdomains