|
|
Posted by Steve on 10/22/07 03:24
"totalstranger" <totalstranger@not.yahoo.net> wrote in message
news:VtOSi.386$wc5.237@newsfe12.lga...
> On or about 10/21/2007 4:15 PM, it came to pass that totalstranger wrote:
>> On or about 10/19/2007 10:09 AM, it came to pass that Steve wrote:
>>> "totalstranger" <totalstranger@not.yahoo.net> wrote in message
>>> news:4iIRi.294$TT4.206@newsfe12.lga...
>>>> My Bluehost site is setup with a dedicated IP address, Rapid SSL
>>>> certificate, PHP 5 and FastCGI is set on.
>>>>
>>>> When switching between HTTP and HTTPS I was under the impression the
>>>> Session Data was independent for each protocol and I've read about
>>>> various methods of storing session data in a database to bypass this
>>>> problem. However while testing what I thought was incomplete code (no
>>>> $_Session preservation code in place), I've discovered this is not true
>>>> on my site.
>>>>
>>>> In other words I go from HTTP (request login), to HTTPS (do login and
>>>> set SESSION variables), then back to HTTP(to maintain data), the
>>>> session variables set in HTTPS are usable in HTTP and I get the exact
>>>> same session id with both protocols without any code to preserve the
>>>> $_SESSION data between protocols. While this may make my coding easier,
>>>> it gives me a sense that something is wrong and I have a security risk.
>>>> Can anyone confirm this is the way it's supposed to work?
>>>
>>> why is *any* of this a surprise OR security risk? ssl is means to secure
>>> the communication between the client and server. sessions relate to
>>> either cookies on the client or session files on your server. none of
>>> that has *any* relation to secured sockets or not. your spidy senses are
>>> simply whacked. why *should* this work any other way? are you suggesting
>>> that ssl protects *you* from being hacked? that's not only a
>>> misconception, it's a dangerous mentality.
>>>
>>> sessions are hard to coordinate between *domains*...not HTTP&S.
>>>
>> Wow! You must have born with a full insight to everything!
> Umm before Steve objects to my English, that should have been
> Wow! You must have been born with a full insight to everything!
why no, i had no problems with your english and am usually pretty forgiving
when i know it's not someone's native language. and, i think i've only
teased one person about their english because i thought the comment would be
understood as a joke...it wasn't, so, i don't tend to tease anyone about
that anymore.
second, why were my comments taken in as an insult. notice, i wasn't YELLING
at any point. i used asterics to draw out certain key points i was trying to
make. a limitation of this media is that i cannot show inflection or
emphasis in very many ways.
third and most obvious to observe here, is that i *don't* know
everything...nor do i pretend to. i'll just simply take your reaction as a
"knee-jerk" comment at what you perceived was an insult.
[Back to original message]
|