|
|
Posted by Captain Paralytic on 10/19/07 08:54
On 18 Oct, 17:40, "J.O. Aho" <u...@example.net> wrote:
> totalstranger wrote:
> > My Bluehost site is setup with a dedicated IP address, Rapid SSL
> > certificate, PHP 5 and FastCGI is set on.
>
> > When switching between HTTP and HTTPS I was under the impression the
> > Session Data was independent for each protocol and I've read about
> > various methods of storing session data in a database to bypass this
> > problem. However while testing what I thought was incomplete code (no
> > $_Session preservation code in place), I've discovered this is not true
> > on my site.
>
> > In other words I go from HTTP (request login), to HTTPS (do login and
> > set SESSION variables), then back to HTTP(to maintain data), the session
> > variables set in HTTPS are usable in HTTP and I get the exact same
> > session id with both protocols without any code to preserve the
> > $_SESSION data between protocols. While this may make my coding easier,
> > it gives me a sense that something is wrong and I have a security risk.
> > Can anyone confirm this is the way it's supposed to work?
>
> This is how cookies works, but if you want to be able to determine where the
> session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
> when you start the session for the first time and then use
> if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
> to prevent switching between SSL and Plain sessions.
>
> --
>
> //Aho- Hide quoted text -
>
> - Show quoted text -
My experience is that $_SERVER['HTTPS'] is not set for non https
accesses, so this would be better as
$_SESSION['https']=isset($_SERVER['HTTPS'])
[Back to original message]
|