Op 1/30/10 2:25 AM, Ben Miller schreef: > Hi, I've always thought that session data was subdomain specific and would > not carry over between http://www.mydomain.com and > https://secure.mydomain.com, but it seems to be working for me now. Can I > rely on this and post from http://www.mydomain.com to > https://secure.mydomain.com and simply pass a hidden input containing > PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains > at www. and reset them as _SESSION vars at secure. > <https://secure.mydomain.com> ? > 1. cookies are shared automatically on SUB domains, so if you set your cookie domain to example.com it will be available at both www.example.com and secure.example.com 2. cookies can have a HTTPS flag set which means they will not be shared with non-HTTPS connections. 3. DONT put the contents of $_SESSION on the wire. (given the question you're asking I'd hazard a guess you don't have the skills to sufficiently 4. google/read/search/learn about the security implications of sharing a cookie between HTTPS and non-HTTPS domains. 5. session_regenerate_id() - I would use this if you intend to pass session ids around, although it will probably give you a stack of problems in terms of usability (e.g. back button usage), actually I'd use it any time you log someone in or out or have a user perform a particularly sensitive action. 6. the $_SESSION will only be available on both sites if they are both on the same server and running with the same session ini settings (i.e. session save path, session name) - different servers could obviously be using a shared filesystem or an alternative session storage (e.g. memcached or database server). 7. consider not sharing the session - instead pass just the data that you need (e.g. shopping basket contents etc) and either including a hash of the data (which uses a secret string that is not included in the form/url/etc but that both servers/sites know about AND/OR using 2-way public key encryption on the data that you pass in between the servers/sites personally for higher end commercial sites I prefer to just to put everything on HTTPS solving all potential issues with sharing a cookie or data between nonHTTPS and HTTPS sites, and everything directly related ... the cost being extra overhead per request - but hardware is cheap and security is difficult to get exactly right. the biggest names on the web have [had] security loophopes/problems related to these issues, and they generally have tons of man power and some very clever/knowledgable people on their teams - which is to say: your chance (and mine for that matter) of not making any mistakes on this front are slimmer than theirs. > Thanks in advance, > > Ben > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
