Jump to content
Larry Ullman's Book Forums

Session Ids And Secure Pages


Recommended Posts

I'm developing my site with shared hosting ssl certificate.

As Larry describes in the book, I'm trying to use the session id from the http pages after I get to the https pages, and be able to go back and forth.

From home page I click login, I log in and my code tries to redirect to loggedin page. But between login and loggedin there is a new id generated. That is what I think is happening. So that causes my loggedin page to fail because test says user is not logged in. And this will also cause everything else to fail but this is the first thing I'm testing.

 

Here is the code I am using, at the start of each page:

(I pass $sid in the url)

 

// Start output buffering:

ob_start();

// Start the session:

// if the session is available from the url use that otherwise start a new session

if ($_SERVER['REQUEST_METHOD']=='GET') {

if (isset($_GET['sid'])) {

$sid = $_GET['sid'];

if ($sid > 0) { // I set it zero when there is none

echo "

Link to comment
Share on other sites

Well, it seems that I can't pass the session id by GET but I can pass it by POST.

I thought I should be able to pass it by GET.

But in researching this a little on the net, maybe GET is not a very secure way to do it.

And I'm thinking of just making my entire site https for now. If high traffic later, it could be upgraded then.

 

Link to comment
Share on other sites

You should be able to pass it by GET. While GET is more obvious than POST, it's arguably not significantly less secure (i.e., it's foolish to think that POST is more secure). And, of course, the session ID is getting passed back and forth in cookies, so there's that, too. In short, any HTTP transactions are theoretically viewable, whereas HTTPS are not.

Link to comment
Share on other sites

 Share

×
×
  • Create New...