Posted by totalstranger on 10/21/07 20:15

On or about 10/19/2007 10:09 AM, it came to pass that Steve wrote:
> "totalstranger" <totalstranger@not.yahoo.net> wrote in message
> news:4iIRi.294$TT4.206@newsfe12.lga...
>> My Bluehost site is setup with a dedicated IP address, Rapid SSL
>> certificate, PHP 5 and FastCGI is set on.
>>
>> When switching between HTTP and HTTPS I was under the impression the
>> Session Data was independent for each protocol and I've read about various
>> methods of storing session data in a database to bypass this problem.
>> However while testing what I thought was incomplete code (no $_Session
>> preservation code in place), I've discovered this is not true on my site.
>>
>> In other words I go from HTTP (request login), to HTTPS (do login and set
>> SESSION variables), then back to HTTP(to maintain data), the session
>> variables set in HTTPS are usable in HTTP and I get the exact same session
>> id with both protocols without any code to preserve the $_SESSION data
>> between protocols. While this may make my coding easier, it gives me a
>> sense that something is wrong and I have a security risk. Can anyone
>> confirm this is the way it's supposed to work?
>
> why is *any* of this a surprise OR security risk? ssl is means to secure the
> communication between the client and server. sessions relate to either
> cookies on the client or session files on your server. none of that has
> *any* relation to secured sockets or not. your spidy senses are simply
> whacked. why *should* this work any other way? are you suggesting that ssl
> protects *you* from being hacked? that's not only a misconception, it's a
> dangerous mentality.
>
> sessions are hard to coordinate between *domains*...not HTTP&S.
>
>
Wow! You must have born with a full insight to everything!

[Back to original message]