HTTP HTTPS Session question

18/10/2007, 17h25

My Bluehost site is setup with a dedicated IP address, Rapid SSL
certificate, PHP 5 and FastCGI is set on.

When switching between HTTP and HTTPS I was under the impression the
Session Data was independent for each protocol and I've read about
various methods of storing session data in a database to bypass this
problem. However while testing what I thought was incomplete code (no
$_Session preservation code in place), I've discovered this is not true
on my site.

In other words I go from HTTP (request login), to HTTPS (do login and
set SESSION variables), then back to HTTP(to maintain data), the session
variables set in HTTPS are usable in HTTP and I get the exact same
session id with both protocols without any code to preserve the
$_SESSION data between protocols. While this may make my coding easier,
it gives me a sense that something is wrong and I have a security risk.
Can anyone confirm this is the way it's supposed to work?

Thank you

18/10/2007, 17h42

totalstranger wrote:
> My Bluehost site is setup with a dedicated IP address, Rapid SSL
> certificate, PHP 5 and FastCGI is set on.
>
> When switching between HTTP and HTTPS I was under the impression the
> Session Data was independent for each protocol and I've read about
> various methods of storing session data in a database to bypass this
> problem. However while testing what I thought was incomplete code (no
> $_Session preservation code in place), I've discovered this is not true
> on my site.
>
> In other words I go from HTTP (request login), to HTTPS (do login and
> set SESSION variables), then back to HTTP(to maintain data), the session
> variables set in HTTPS are usable in HTTP and I get the exact same
> session id with both protocols without any code to preserve the
> $_SESSION data between protocols. While this may make my coding easier,
> it gives me a sense that something is wrong and I have a security risk.
> Can anyone confirm this is the way it's supposed to work?

This is how works, but if you want to be able to determine where the
session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
when you start the session for the first time and then use
if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
to prevent switching between SSL and Plain sessions.

--

//Aho

18/10/2007, 17h25	#1
totalstranger Messages: n/a Hébergeur:	HTTP HTTPS Session question My Bluehost site is setup with a dedicated IP address, Rapid SSL certificate, PHP 5 and FastCGI is set on. When switching between HTTP and HTTPS I was under the impression the Session Data was independent for each protocol and I've read about various methods of storing session data in a database to bypass this problem. However while testing what I thought was incomplete code (no $_Session preservation code in place), I've discovered this is not true on my site. In other words I go from HTTP (request login), to HTTPS (do login and set SESSION variables), then back to HTTP(to maintain data), the session variables set in HTTPS are usable in HTTP and I get the exact same session id with both protocols without any code to preserve the $_SESSION data between protocols. While this may make my coding easier, it gives me a sense that something is wrong and I have a security risk. Can anyone confirm this is the way it's supposed to work? Thank you

18/10/2007, 17h42	#2
J.O. Aho Messages: n/a Hébergeur:	Re: HTTP HTTPS Session question totalstranger wrote: > My Bluehost site is setup with a dedicated IP address, Rapid SSL > certificate, PHP 5 and FastCGI is set on. > > When switching between HTTP and HTTPS I was under the impression the > Session Data was independent for each protocol and I've read about > various methods of storing session data in a database to bypass this > problem. However while testing what I thought was incomplete code (no > $_Session preservation code in place), I've discovered this is not true > on my site. > > In other words I go from HTTP (request login), to HTTPS (do login and > set SESSION variables), then back to HTTP(to maintain data), the session > variables set in HTTPS are usable in HTTP and I get the exact same > session id with both protocols without any code to preserve the > $_SESSION data between protocols. While this may make my coding easier, > it gives me a sense that something is wrong and I have a security risk. > Can anyone confirm this is the way it's supposed to work? This is how works, but if you want to be able to determine where the session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS'] when you start the session for the first time and then use if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; } to prevent switching between SSL and Plain sessions. -- //Aho

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email