Share dom storage between http and https

Question

I would like a method of storing information on the client that can be accessed by both the SSL and nonSSL version of my site. localStorage is a great mechanism but it can only

Answer 1

Compiled from the comments leading to this answer; I welcome @jeremyisawesome to edit in his final techniques:

---

Fist choice: Use SSL, across everything. Many users want that, and it is (with the exception of the somewhat higher resource use) a superior option in nearly every way. Also it is the trivial solution.

Sadly, "Because Management" is often a valid reason, and while you can try selling it on the "extra security never hurt anyone" point or whatever, a real solution would be preferred.

I propose the following: duplicate the DOM storage, and use a combination of cookie (with minimal data), AJAX, and a hash function to check if the DOM store needs to be updated. The exact implementation details depend on how much data you have, how frequently it changes, and how frequently users switch sides, but the basic idea is something like this:

1. save data to DOM, along with its hash.
2. send hash in cookie instead of full data.
3. JS checks that cookie hash and DOM data match.
4. If DOM is determined to be out of date, use AJAX to acquire new data for DOM, and update it asynchronously.

Switching between HTTP and HTTPS pages with secure session-cookie -- there are a number of vulnerabilities discussed with switching, but there's some useful stuff there.