Double Encryption in Reach

We have developed a code snippet to counter the issue of man-in-middle (us) who are able to "see" all data. This is how it works:

1. Client and server use public-private key pairs to communicate with each other

2. Using public-private key pairs adds extra level of encryption (on top of HTTPS), which we cannot decrypt

3. This method is good for AJAX type of requests

4. When the server loads the page it generates a public-private key pair for the request

5. The private key is saved in SESSION on the server-side

6. The public key is sent over to the client

7. On page-load client generates its own public-private key page and sends the public key to the server

8. Subsequent data sent from the client (AJAX) is encrypted by the public key sent by the server

9. Encrypted data is decrypted by the server using the respective private key

10. The response is encrypted by the public key sent by the client

11. Encrypted data is decrypted by the client by using its private key

12. This approach is good for AJAX request and will not work for complete page load (page navigation) as the browser will not be able to decrypt the data