HTTP HTTPS Session question

am 18.10.2007 18:25:18 von totalstranger

My Bluehost site is setup with a dedicated IP address, Rapid SSL
certificate, PHP 5 and FastCGI is set on.

When switching between HTTP and HTTPS I was under the impression the
Session Data was independent for each protocol and I've read about
various methods of storing session data in a database to bypass this
problem. However while testing what I thought was incomplete code (no
$_Session preservation code in place), I've discovered this is not true
on my site.

In other words I go from HTTP (request login), to HTTPS (do login and
set SESSION variables), then back to HTTP(to maintain data), the session
variables set in HTTPS are usable in HTTP and I get the exact same
session id with both protocols without any code to preserve the
$_SESSION data between protocols. While this may make my coding easier,
it gives me a sense that something is wrong and I have a security risk.
Can anyone confirm this is the way it's supposed to work?

Thank you

Re: HTTP HTTPS Session question

am 18.10.2007 18:40:43 von Shion

totalstranger wrote:
> My Bluehost site is setup with a dedicated IP address, Rapid SSL
> certificate, PHP 5 and FastCGI is set on.
>
> When switching between HTTP and HTTPS I was under the impression the
> Session Data was independent for each protocol and I've read about
> various methods of storing session data in a database to bypass this
> problem. However while testing what I thought was incomplete code (no
> $_Session preservation code in place), I've discovered this is not true
> on my site.
>
> In other words I go from HTTP (request login), to HTTPS (do login and
> set SESSION variables), then back to HTTP(to maintain data), the session
> variables set in HTTPS are usable in HTTP and I get the exact same
> session id with both protocols without any code to preserve the
> $_SESSION data between protocols. While this may make my coding easier,
> it gives me a sense that something is wrong and I have a security risk.
> Can anyone confirm this is the way it's supposed to work?

This is how cookies works, but if you want to be able to determine where the
session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
when you start the session for the first time and then use
if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
to prevent switching between SSL and Plain sessions.

--

//Aho

Re: HTTP HTTPS Session question

am 18.10.2007 18:42:40 von Shion

Re: HTTP HTTPS Session question

am 19.10.2007 03:55:03 von 4sak3n 0ne

On Oct 18, 9:40 am, "J.O. Aho" wrote:
> totalstranger wrote:
> > My Bluehost site is setup with a dedicated IP address, Rapid SSL
> > certificate, PHP 5 and FastCGI is set on.
>
> > When switching between HTTP and HTTPS I was under the impression the
> > Session Data was independent for each protocol and I've read about
> > various methods of storing session data in a database to bypass this
> > problem. However while testing what I thought was incomplete code (no
> > $_Session preservation code in place), I've discovered this is not true
> > on my site.
>
> > In other words I go from HTTP (request login), to HTTPS (do login and
> > set SESSION variables), then back to HTTP(to maintain data), the session
> > variables set in HTTPS are usable in HTTP and I get the exact same
> > session id with both protocols without any code to preserve the
> > $_SESSION data between protocols. While this may make my coding easier,
> > it gives me a sense that something is wrong and I have a security risk.
> > Can anyone confirm this is the way it's supposed to work?
>
> This is how cookies works, but if you want to be able to determine where the
> session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
> when you start the session for the first time and then use
> if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
> to prevent switching between SSL and Plain sessions.
>
> --
>
> //Aho

Session data is stored in a file on the server's hard drive. As far
as I know, the protocol has no effect on the session data, unless the
client's session id has changed.

As far as a security risk, the only real thing you need to worry about
is session ids falling into the hands of someone that shouldn't have
it. Once they have the user's session id, they become that user, ssl
or not.

Re: HTTP HTTPS Session question

am 19.10.2007 10:54:45 von Captain Paralytic

On 18 Oct, 17:40, "J.O. Aho" wrote:
> totalstranger wrote:
> > My Bluehost site is setup with a dedicated IP address, Rapid SSL
> > certificate, PHP 5 and FastCGI is set on.
>
> > When switching between HTTP and HTTPS I was under the impression the
> > Session Data was independent for each protocol and I've read about
> > various methods of storing session data in a database to bypass this
> > problem. However while testing what I thought was incomplete code (no
> > $_Session preservation code in place), I've discovered this is not true
> > on my site.
>
> > In other words I go from HTTP (request login), to HTTPS (do login and
> > set SESSION variables), then back to HTTP(to maintain data), the session
> > variables set in HTTPS are usable in HTTP and I get the exact same
> > session id with both protocols without any code to preserve the
> > $_SESSION data between protocols. While this may make my coding easier,
> > it gives me a sense that something is wrong and I have a security risk.
> > Can anyone confirm this is the way it's supposed to work?
>
> This is how cookies works, but if you want to be able to determine where the
> session has been set, I suggest you store $_SESSION['https']=$_SERVER['HTTPS']
> when you start the session for the first time and then use
> if($_SESSION['https']!=$_SERVER['HTTPS']) { exit; }
> to prevent switching between SSL and Plain sessions.
>
> --
>
> //Aho- Hide quoted text -
>
> - Show quoted text -

My experience is that $_SERVER['HTTPS'] is not set for non https
accesses, so this would be better as
$_SESSION['https']=isset($_SERVER['HTTPS'])