abigail Posted April 14, 2012 Share Posted April 14, 2012 I'm developing my site with shared hosting ssl certificate. As Larry describes in the book, I'm trying to use the session id from the http pages after I get to the https pages, and be able to go back and forth. From home page I click login, I log in and my code tries to redirect to loggedin page. But between login and loggedin there is a new id generated. That is what I think is happening. So that causes my loggedin page to fail because test says user is not logged in. And this will also cause everything else to fail but this is the first thing I'm testing. Here is the code I am using, at the start of each page: (I pass $sid in the url) // Start output buffering: ob_start(); // Start the session: // if the session is available from the url use that otherwise start a new session if ($_SERVER['REQUEST_METHOD']=='GET') { if (isset($_GET['sid'])) { $sid = $_GET['sid']; if ($sid > 0) { // I set it zero when there is none echo " Link to comment Share on other sites More sharing options...
Larry Posted April 16, 2012 Share Posted April 16, 2012 Is there a question here? Link to comment Share on other sites More sharing options...
abigail Posted April 16, 2012 Author Share Posted April 16, 2012 Well, it seems that I can't pass the session id by GET but I can pass it by POST. I thought I should be able to pass it by GET. But in researching this a little on the net, maybe GET is not a very secure way to do it. And I'm thinking of just making my entire site https for now. If high traffic later, it could be upgraded then. Link to comment Share on other sites More sharing options...
Larry Posted April 16, 2012 Share Posted April 16, 2012 You should be able to pass it by GET. While GET is more obvious than POST, it's arguably not significantly less secure (i.e., it's foolish to think that POST is more secure). And, of course, the session ID is getting passed back and forth in cookies, so there's that, too. In short, any HTTP transactions are theoretically viewable, whereas HTTPS are not. Link to comment Share on other sites More sharing options...
Recommended Posts