HTTP HTTPS Session question

My Bluehost site is setup with a dedicated IP address, Rapid SSL
certificate, PHP 5 and FastCGI is set on.

When switching between HTTP and HTTPS I was under the impression the
Session Data was independent for each protocol and I've read about
various methods of storing session data in a database to bypass this
problem. However while testing what I thought was incomplete code (no
$_Session preservation code in place), I've discovered this is not true
on my site.

In other words I go from HTTP (request login), to HTTPS (do login and
set SESSION variables), then back to HTTP(to maintain data), the session
variables set in HTTPS are usable in HTTP and I get the exact same
session id with both protocols without any code to preserve the
$_SESSION data between protocols. While this may make my coding easier,
it gives me a sense that something is wrong and I have a security risk.
Can anyone confirm this is the way it's supposed to work?

Thank you

"totalstranger" <totalstranger@not.yahoo.netwrote in message
news:4iIRi.294$TT4.206@newsfe12.lga...

Quote:

My Bluehost site is setup with a dedicated IP address, Rapid SSL
certificate, PHP 5 and FastCGI is set on.
>
When switching between HTTP and HTTPS I was under the impression the
Session Data was independent for each protocol and I've read about various
methods of storing session data in a database to bypass this problem.
However while testing what I thought was incomplete code (no $_Session
preservation code in place), I've discovered this is not true on my site.
>
In other words I go from HTTP (request login), to HTTPS (do login and set
SESSION variables), then back to HTTP(to maintain data), the session
variables set in HTTPS are usable in HTTP and I get the exact same session
id with both protocols without any code to preserve the $_SESSION data
between protocols. While this may make my coding easier, it gives me a
sense that something is wrong and I have a security risk. Can anyone
confirm this is the way it's supposed to work?

why is *any* of this a surprise OR security risk? ssl is means to secure the
communication between the client and server. sessions relate to either
cookies on the client or session files on your server. none of that has
*any* relation to secured sockets or not. your spidy senses are simply
whacked. why *should* this work any other way? are you suggesting that ssl
protects *you* from being hacked? that's not only a misconception, it's a
dangerous mentality.

sessions are hard to coordinate between *domains*...not HTTP&S.

On or about 10/19/2007 10:09 AM, it came to pass that Steve wrote:

Quote:

"totalstranger" <totalstranger@not.yahoo.netwrote in message
news:4iIRi.294$TT4.206@newsfe12.lga...

Quote:

>My Bluehost site is setup with a dedicated IP address, Rapid SSL
>certificate, PHP 5 and FastCGI is set on.
>>
>When switching between HTTP and HTTPS I was under the impression the
>Session Data was independent for each protocol and I've read about various
>methods of storing session data in a database to bypass this problem.
>However while testing what I thought was incomplete code (no $_Session
>preservation code in place), I've discovered this is not true on my site.
>>
>In other words I go from HTTP (request login), to HTTPS (do login and set
>SESSION variables), then back to HTTP(to maintain data), the session
>variables set in HTTPS are usable in HTTP and I get the exact same session
>id with both protocols without any code to preserve the $_SESSION data
>between protocols. While this may make my coding easier, it gives me a
>sense that something is wrong and I have a security risk. Can anyone
>confirm this is the way it's supposed to work?

>
why is *any* of this a surprise OR security risk? ssl is means to secure the
communication between the client and server. sessions relate to either
cookies on the client or session files on your server. none of that has
*any* relation to secured sockets or not. your spidy senses are simply
whacked. why *should* this work any other way? are you suggesting that ssl
protects *you* from being hacked? that's not only a misconception, it's a
dangerous mentality.
>
sessions are hard to coordinate between *domains*...not HTTP&S.
>
>

Wow! You must have born with a full insight to everything!

On or about 10/21/2007 4:15 PM, it came to pass that totalstranger wrote:

Quote:

On or about 10/19/2007 10:09 AM, it came to pass that Steve wrote:

Quote:

>"totalstranger" <totalstranger@not.yahoo.netwrote in message
>news:4iIRi.294$TT4.206@newsfe12.lga...

Quote:

>>My Bluehost site is setup with a dedicated IP address, Rapid SSL
>>certificate, PHP 5 and FastCGI is set on.
>>>
>>When switching between HTTP and HTTPS I was under the impression the
>>Session Data was independent for each protocol and I've read about
>>various methods of storing session data in a database to bypass this
>>problem. However while testing what I thought was incomplete code (no
>>$_Session preservation code in place), I've discovered this is not
>>true on my site.
>>>
>>In other words I go from HTTP (request login), to HTTPS (do login and
>>set SESSION variables), then back to HTTP(to maintain data), the
>>session variables set in HTTPS are usable in HTTP and I get the exact
>>same session id with both protocols without any code to preserve the
>>$_SESSION data between protocols. While this may make my coding
>>easier, it gives me a sense that something is wrong and I have a
>>security risk. Can anyone confirm this is the way it's supposed to work?

>>
>why is *any* of this a surprise OR security risk? ssl is means to
>secure the communication between the client and server. sessions
>relate to either cookies on the client or session files on your
>server. none of that has *any* relation to secured sockets or not.
>your spidy senses are simply whacked. why *should* this work any other
>way? are you suggesting that ssl protects *you* from being hacked?
>that's not only a misconception, it's a dangerous mentality.
>>
>sessions are hard to coordinate between *domains*...not HTTP&S.
>>

Wow! You must have born with a full insight to everything!

Umm before Steve objects to my English, that should have been
Wow! You must have been born with a full insight to everything!

"totalstranger" <totalstranger@not.yahoo.netwrote in message
news:VtOSi.386$wc5.237@newsfe12.lga...

Quote:

On or about 10/21/2007 4:15 PM, it came to pass that totalstranger wrote:

Quote:

>On or about 10/19/2007 10:09 AM, it came to pass that Steve wrote:

Quote:

>>"totalstranger" <totalstranger@not.yahoo.netwrote in message
>>news:4iIRi.294$TT4.206@newsfe12.lga...
>>>My Bluehost site is setup with a dedicated IP address, Rapid SSL
>>>certificate, PHP 5 and FastCGI is set on.
>>>>
>>>When switching between HTTP and HTTPS I was under the impression the
>>>Session Data was independent for each protocol and I've read about
>>>various methods of storing session data in a database to bypass this
>>>problem. However while testing what I thought was incomplete code (no
>>>$_Session preservation code in place), I've discovered this is not true
>>>on my site.
>>>>
>>>In other words I go from HTTP (request login), to HTTPS (do login and
>>>set SESSION variables), then back to HTTP(to maintain data), the
>>>session variables set in HTTPS are usable in HTTP and I get the exact
>>>same session id with both protocols without any code to preserve the
>>>$_SESSION data between protocols. While this may make my coding easier,
>>>it gives me a sense that something is wrong and I have a security risk.
>>>Can anyone confirm this is the way it's supposed to work?
>>>
>>why is *any* of this a surprise OR security risk? ssl is means to secure
>>the communication between the client and server. sessions relate to
>>either cookies on the client or session files on your server. none of
>>that has *any* relation to secured sockets or not. your spidy senses are
>>simply whacked. why *should* this work any other way? are you suggesting
>>that ssl protects *you* from being hacked? that's not only a
>>misconception, it's a dangerous mentality.
>>>
>>sessions are hard to coordinate between *domains*...not HTTP&S.
>>>

>Wow! You must have born with a full insight to everything!

Umm before Steve objects to my English, that should have been
Wow! You must have been born with a full insight to everything!

why no, i had no problems with your english and am usually pretty forgiving
when i know it's not someone's native language. and, i think i've only
teased one person about their english because i thought the comment would be
understood as a joke...it wasn't, so, i don't tend to tease anyone about
that anymore.

second, why were my comments taken in as an insult. notice, i wasn't YELLING
at any point. i used asterics to draw out certain key points i was trying to
make. a limitation of this media is that i cannot show inflection or
emphasis in very many ways.

third and most obvious to observe here, is that i *don't* know
everything...nor do i pretend to. i'll just simply take your reaction as a
"knee-jerk" comment at what you perceived was an insult.

HTTP HTTPS Session question

re: HTTP HTTPS Session question

re: HTTP HTTPS Session question

re: HTTP HTTPS Session question

re: HTTP HTTPS Session question

Similar PHP bytes

/bytes/development

/bytes/it

/bytes/about