Hi! I am developing a site with some authenticated users only features.
I would like to know if the following is true:
1. script for login process is located on a SSL-enabled server, so
usernames and passwords are encrypted.
2. upon successful login, user is relocated to a non-SSL-enabled server
which hosts the scripts that contain the authenticated-user-only features.
So, while usernames and passwords are protected by SSL, the PHPSESSID is
not. In other words, anyone who captures that HTTP GET packet can get
the session ID. Is that true?
Another question is while that session ID is valid only before an
unset() and a session_destroy(). So the attacker who has the session ID
must fake the session before the real user logout. Is that true?
Thanks in advance for any help offered.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
