[phpdoctor]

Hay,

heres an example of my problem:
pages1.php (Not SSL)

PHP Code:

<?php



session_start() ;

$_SESSION['session_one'] = 'hello' ;



?>

pages2.php (SSL)

PHP Code:

<?php



session_start() ;

echo $_SESSION['session_one'] ;



?>

When I go from page1.php to page2.php it doesnt get the session created because it starts a new session, because the address is different?

I can send the session_id() by $_GET and can it on page2.php
BUT this is unsercure

Is there any other ways of going about this?

[mab]

There is a browser requirement that says that a session id (cookie) cannot be passed between a https and a http page. The reason is so that a session id that is created on a secure page won't ever be exchanged with the server through an unsecured connection, in case someone is monitoring/intercepting the data packets. As a result, browsers have separate http and https session caches and they won't send a session cookie created on one type of page to the other. The reason why it is not allowed to send a session id from a http page to a https one, is if someone has already intercepted the session id and you set some sensitive data on the https page, they would be able to access that information using the session id that has already been intercepted.

If your data is not that sensitive, the workaround is to pass the session id on the end of the URL and then do a session_start using that id.

The moral of the above, if you truly have sensitive data that you want to insure that no one has a chance of intercepting or accessing, only exchange the data and the session id through a https connection.

If you have less sensitive data that you want to pass, then store it in a database using a unique/random/use-one-time-then-destroy identifier and pass that identifier on the end of the URL.

[phpdoctor]

Thanks for the help,
I will try your suggestion

Thanks again,
Lex