|
Posted by Gordon Burditt on 11/16/07 11:28
>I see your point, I think I will just re-generate the session ID after
>every user request so that the last session ID is no longer valid.
Are you *SURE* that re-generating the session ID cancels the validity
of the old one? If not, you're just generating piles more correct
answers. The delete_old_session parameter to session_regenerate_id()
seems to have been added in version 5.1.0.
>Hopefully that will provide enough security for the non-SSL'd pages.
>
>My last question is this: I read online that you should never pass
>session data between http and https servers.
>I have successfully
>carried sessions between the two without passing any information in the
>URL... since I know this can be done, is there a reason not to do so?
>Does it expose any other security risks I am not aware of?
If it's exposed in http it's exposed, period. And providing a lot
of "known plaintext" for a cracking attempt at the SSL ciphers isn't
a good idea even though it's thought they aren't vulnerable to such
an attack.
Gordon L. Burditt
Navigation:
[Reply to this message]
|