[phpdoctor]

When going from none ssl to my ssl page to session is gone because its a new url... which creates a new session id...

How do i transfer the session in a secure way? Use DB?
Note: session_regenerate_id() is used also... so the session id changes everytime the page reloads. (Stops fixation )

Thanks!
Lex

[DAL]

Hi phpdoctor,

Im wondering if I would have any problems with moving over some pages to SSL so I googled your question for both our information.

Seems someone solved it via;
http://forums.devshed.com/showpost.p...74&postcount=3

Let me know if this works as I havnt begun moving anything over as yet but it would be good to know.

Also have you had to change anything else ie file paths are still ie /mygraphics/myimage.jpg rather than having to address the full path https://mygraphics/myimage.jpg. Never used SSL so Im in the dark on... well everything!

Kind regards
Dal

[phpdoctor]

Thanks for the link... its abit old (2002) and not sure if its what i need.
This is for a checkout button... the checkout area needs to be ssl, its a shared ssl cert also... foxbat...
When i get to the checkout area the session is gone...

If your images src is "mygraphics/myimage.jpg" then it doesnt matter if your using ssl or not... if you use the full path
then it will get it from that site. I dont use full paths because of testing on my local server... would be annoying if the images loaded from the site when your just on your local server

Thanks,
Lex

[DAL]

Sorry that link wasnt as usefull as I intended it to be.

The Img src was just an example of something I thought might have been a problem. So I imagine nothing but the communication between client and server changes appart from your sessions going missing.


Im sure your not the only one to use SSL, forum seems quiet over the past 4 days. Oh well, hope you get your answer.

Kind regards
Dal

[mab]

Browsers don't pass session cookies (any cookies) when going back and forth between https and http protocols. There is actually an RCF standard that specifies this behavior. This is for security purposes so that if someone is monitoring data packets (such as over a non-encrypted wireless connection) that any data (including the session id cookie or session id on the end of the URL) that is sent back and forth between the browser and the server cannot be seen, taken, or used to impersonate the visitor.

There is a way to work around this by passing the session id on the end of the URL, but this defeats the purpose of buying and using a SSL certificate. If you have any data that is important enough to be using https/SSL for, than you should use https for the duration of the whole visit.

Your first post does not mention how the URL changes when gong back and forth between http and https. If the different pages are on different servers that don't have access to the same session data file storage, then you would need to setup a shared location to use, such as a shared folder or a database.

[DAL]

Sorry didnt mean to HiJack your thread again phpdoc but based on mabs reply Im curious;

Setting your whole site in SSL, Is there any issues with that ie speed?

Thanks
Dal

[mab]

Actually I said for the duration of the whole visit. Meaning (or what I meant was) the page(s) where you expect the transfer of information to remain secure. That does not imply a whole site.

Yes. Any page or content on that page (unless you want the warning pop-up about displaying secure and non-secure information) will take longer to transfer.

[phpdoctor]

Ok, its a shared ssl: https://foxbat.oksecure.com/~$username/checkout.php
Basicly the user clicks the checkout link and it goes to this ssl checkout page....
If i send the session id, i can get the session back by changing the session id... which is my problem (unsecure).
It goes back to the non-secure site when checkout process is complete.

Is saving the sessions in a specific folder good? (session_save_path())

Thanks,
Lex

[mab]

If you are on a shared server, setting the session save path to be to a private folder within your account space will insure that none of the other accounts have access to the session data files and this will prevent garbage collection that runs due to the other accounts from deleting your session data files (people often set short garbage collection lifetime values in an incorrect attempt to end sessions.)

If you can, set this to a folder that is outside of (closer to the disk root) your web document root folder. This will prevent anyone from browsing to the files. If this option is not available, then you would need to put the folder within your web document root folder, but you must add either a .htaccess file that prevents (deny) all web access or place an empty default document in it so that if anyone figures out the folder name and browses to it, they cannot access the files.

[phpdoctor]

Thanks, ye I did htaccess it cause I cant get the folder outside of the webroot.
When going to the ssl link, is there a way to send a hash and have the session in the db? maybe this can only work once to prevent fixation?

I wonder how others do this...

Lex