By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,717 Members | 1,320 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,717 IT Pros & Developers. It's quick & easy.

Sessions and ssl

P: n/a
Ken
This is very frustrating.

I am having problems understanding how to transfer session_id() between a
secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.
Here is the script:

Secure page:
<?php
session_name('thename');
session_start();
echo session_id();
..
..
..
<form name="review" method="post" action="<?PHP echo
$_SESSION['std_dir'].'add_pic.php';?>">
<input type="hidden" name="<?PHP echo session_id(); ?>" value="<?PHP echo
session_id(); ?>">
<table align=center cellspacing=0 cellpadding=0 border="0">
<tr><td align="center"><input type="submit" value='Continue' style='font:
10pt Arial; font weight: bold; color: 7F0738; background:
FAB918;'></td></tr></table>
</form>

This is the receiving page:
<?php
error_reporting(E_ALL);
session_name('thename');
session_start();
echo session_id()."<br>";
Jul 17 '05 #1
Share this Question
Share on Google+
6 Replies


P: n/a
Ken
"Ken" <kk******@wi.rr.com> wrote in message
news:gr******************@twister.rdc-kc.rr.com...
This is very frustrating.

I am having problems understanding how to transfer session_id() between a
secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.
Here is the script:

Secure page:
<?php
session_name('thename');
session_start();
echo session_id();
.
.
.
<form name="review" method="post" action="<?PHP echo
$_SESSION['std_dir'].'add_pic.php';?>">
<input type="hidden" name="<?PHP echo session_id(); ?>" value="<?PHP echo
session_id(); ?>">
<table align=center cellspacing=0 cellpadding=0 border="0">
<tr><td align="center"><input type="submit" value='Continue' style='font:
10pt Arial; font weight: bold; color: 7F0738; background:
FAB918;'></td></tr></table>
</form>

This is the receiving page:
<?php
error_reporting(E_ALL);
session_name('thename');
session_start();
echo session_id()."<br>";

Additional info $_SESSION['std_dir'] = http://domainname.com
Jul 17 '05 #2

P: n/a
Ken
"Ken" <kk******@wi.rr.com> wrote in message
news:cN*******************@twister.rdc-kc.rr.com...
"Ken" <kk******@wi.rr.com> wrote in message
news:gr******************@twister.rdc-kc.rr.com...
This is very frustrating.

I am having problems understanding how to transfer session_id() between a secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.
Here is the script:

Secure page:
<?php
session_name('thename');
session_start();
echo session_id();
.
.
.
<form name="review" method="post" action="<?PHP echo
$_SESSION['std_dir'].'add_pic.php';?>">
<input type="hidden" name="<?PHP echo session_id(); ?>" value="<?PHP echo session_id(); ?>">
<table align=center cellspacing=0 cellpadding=0 border="0">
<tr><td align="center"><input type="submit" value='Continue' style='font: 10pt Arial; font weight: bold; color: 7F0738; background:
FAB918;'></td></tr></table>
</form>

This is the receiving page:
<?php
error_reporting(E_ALL);
session_name('thename');
session_start();
echo session_id()."<br>";

Additional info $_SESSION['std_dir'] = http://domainname.com

I figured this out.

I have been getting inconsistent results with the approaches I tried. Just
wanted a discussion on the pros and cons of the various ways to accomplish
the passing of session_id.

Cancel this request.

Ken
Jul 17 '05 #3

P: n/a
"Ken" <kk******@wi.rr.com> wrote in message
news:gr******************@twister.rdc-kc.rr.com...
This is very frustrating.

I am having problems understanding how to transfer session_id() between a
secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.


You do realize that by doing so you're defeating the whole purpose of using
SSL?
Jul 17 '05 #4

P: n/a
I agree--- Dont do this.. Save your current session into a DB, then
connect that session to the new SSL session (also saved in a DB) -

And encrypt it all... the puurpose behind SSL is to be secure.

Phil

"Chung Leong" <ch***********@hotmail.com> wrote in message news:<E4********************@comcast.com>...
"Ken" <kk******@wi.rr.com> wrote in message
news:gr******************@twister.rdc-kc.rr.com...
This is very frustrating.

I am having problems understanding how to transfer session_id() between a
secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.


You do realize that by doing so you're defeating the whole purpose of using
SSL?

Jul 17 '05 #5

P: n/a
Ken
"Chung Leong" <ch***********@hotmail.com> wrote in message
news:E4********************@comcast.com...
"Ken" <kk******@wi.rr.com> wrote in message
news:gr******************@twister.rdc-kc.rr.com...
This is very frustrating.

I am having problems understanding how to transfer session_id() between a secure page to an unsecure page.
When I move from the secure page to the unsecure page the session_id
changes.
You do realize that by doing so you're defeating the whole purpose of

using SSL?

The reason I change to an unsecured environment is to select and upload 10
image files. The data from the secure pages are not called.

I find if I upload images in a secure environment, it takes a very long time
verses an unsecured environment.

I assume a secured image size is 128 x the unsecured image size. 1 mb
becomes 128 mb?? Does that sound right?

Ken

Jul 17 '05 #6

P: n/a
"Ken" <kk******@wi.rr.com> wrote in message
news:qE*******************@twister.rdc-kc.rr.com...

The reason I change to an unsecured environment is to select and upload 10
image files. The data from the secure pages are not called.
The security of a PHP session rests entirely in the secrecy of the session
ID. If it is sent in the plain at any point in time, the entire session is
compromised.
I find if I upload images in a secure environment, it takes a very long time verses an unsecured environment.

I assume a secured image size is 128 x the unsecured image size. 1 mb
becomes 128 mb?? Does that sound right?


Hmmm, don't think I've heard that before. All common symmetric ciphers used
in encrypting data are 1 to 1. There's some overhead, but not that much.
Jul 17 '05 #7

This discussion thread is closed

Replies have been disabled for this discussion.