Posted by totalstranger on 10/18/07 16:25

My Bluehost site is setup with a dedicated IP address, Rapid SSL
certificate, PHP 5 and FastCGI is set on.

When switching between HTTP and HTTPS I was under the impression the
Session Data was independent for each protocol and I've read about
various methods of storing session data in a database to bypass this
problem. However while testing what I thought was incomplete code (no
$_Session preservation code in place), I've discovered this is not true
on my site.

In other words I go from HTTP (request login), to HTTPS (do login and
set SESSION variables), then back to HTTP(to maintain data), the session
variables set in HTTPS are usable in HTTP and I get the exact same
session id with both protocols without any code to preserve the
$_SESSION data between protocols. While this may make my coding easier,
it gives me a sense that something is wrong and I have a security risk.
Can anyone confirm this is the way it's supposed to work?

Thank you

[Back to original message]