tedd schreef:
At 4:34 PM -0400 9/22/08, Daniel Brown wrote:
On Mon, Sep 22, 2008 at 2:48 PM, tedd <tedd@xxxxxxxxxxxx> wrote:
> However, when the user exits https and returns back to the http
side of
> things, the user receives a warning.
If the error you're getting is just saying that you're being
redirected from a secure to an insecure site, that's based on browser
security, which - thank God - is not a(n easily) changeable thing from
the 'Net.
Daniel:
That's it exactly.
The client saw this warning in FF but not in Safari and wanted me to
turn it off.
I told him the reason I thought, which you just confirmed, but I wanted
to be sure.
I can't remember where I read about it but the warning is probably due to
the vulnerability inherent with having a cookie available via https *and* http.
just for kick you might try regenerating the session id just before you move
them off the https page ... doubt that will have an effect though.
you might consider using seperate cookies for https and http and using a
special redirector script to move the user from http to https (passing along
a SID like identifier to use as a matching mechanism for the 2 cookies/sessions),
obviously ... I feel that this is going to be a step backwards in terms of
security.
lastly you might try viewing headers (liveheaders) of a site that seems to
do the same (but without the warning)
my personal theory on this is do *everything* via https, screw the overhead
and buy a bigger box ... given the state of the art it won't be *that* long
before pretty much everything site handling forms/transactions/etc use https
exclusively. besides which always having the funky little lock in the status
bar canb be [stupidly?] reassuring the the average user.
Thanks,
tedd
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
