totalstranger wrote:
> My Bluehost site is setup with a dedicated IP address, Rapid SSL
> certificate, PHP 5 and FastCGI is set on.
>
> When switching between HTTP and HTTPS I was under the impression the
> Session Data was independent for each protocol and I've read about
> various methods of storing session data in a database to bypass this
> problem. However while testing what I thought was incomplete code (no
> $_Session preservation code in place), I've discovered this is not true
> on my site.
>
> In other words I go from HTTP (request login), to HTTPS (do login and
> set SESSION variables), then back to HTTP(to maintain data), the session
> variables set in HTTPS are usable in HTTP and I get the exact same
> session id with both protocols without any code to preserve the
> $_SESSION data between protocols. While this may make my coding easier,
> it gives me a sense that something is wrong and I have a security risk.
> Can anyone confirm this is the way it's supposed to work?

This is how works, but if you want to be able to determine where the
session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
when you start the session for the first time and then use
if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
to prevent switching between SSL and Plain sessions.

--

//Aho