Posted by Steve on 10/19/07 14:09

"totalstranger" <totalstranger@not.yahoo.net> wrote in message
news:4iIRi.294$TT4.206@newsfe12.lga...
> My Bluehost site is setup with a dedicated IP address, Rapid SSL
> certificate, PHP 5 and FastCGI is set on.
>
> When switching between HTTP and HTTPS I was under the impression the
> Session Data was independent for each protocol and I've read about various
> methods of storing session data in a database to bypass this problem.
> However while testing what I thought was incomplete code (no $_Session
> preservation code in place), I've discovered this is not true on my site.
>
> In other words I go from HTTP (request login), to HTTPS (do login and set
> SESSION variables), then back to HTTP(to maintain data), the session
> variables set in HTTPS are usable in HTTP and I get the exact same session
> id with both protocols without any code to preserve the $_SESSION data
> between protocols. While this may make my coding easier, it gives me a
> sense that something is wrong and I have a security risk. Can anyone
> confirm this is the way it's supposed to work?

why is *any* of this a surprise OR security risk? ssl is means to secure the
communication between the client and server. sessions relate to either
cookies on the client or session files on your server. none of that has
*any* relation to secured sockets or not. your spidy senses are simply
whacked. why *should* this work any other way? are you suggesting that ssl
protects *you* from being hacked? that's not only a misconception, it's a
dangerous mentality.

sessions are hard to coordinate between *domains*...not HTTP&S.

[Back to original message]