basic ssl with php
okay
is sessions at
开发者_如何学运维http://example.com/login
is the same ashttps://example.com/login
?yesterday ive made a thread about php sessions empty using ssl? and it turns out that my ssl is working but we have to land first on an ssl page, like https://url.com/test then https://url.com/test2 intantly we cant do http://url.com/test then to http://url.com/test2 ( working ) then to https://url.com/test2 or backwards. we can do it but we have to remove the cookies first. how can we make it work on http and https without restarting the cookie ? if you guys know github how do they do that ? do they make the session save by root document rather then domain ( https to http ) ?
is there anything more do i need to know before implementing ssl or maybe some tips ? ] Thanks for looking in
Adam Ramadhan
They should be the same, but it may be that you have the 'secure' bit set on your PHP session cookies. That means that the session cookie will only be sent along if you're on a SSL connection. See session_set_cookie_params for more info.
Remember the whole Facebook/Firesheep issue? Long story short: your sessions may be vulnerable to session hijacking if you allow users to switch from HTTPS to HTTP while logged in. You probably don't actually want to make this work. So you'll want to set the 'secure' flag for your session cookie using session_set_cookie_params(). A work around for logged in users is to set a plain (with the secure flag set to false) cookie whenever your user is logged in just containing a "user_was_logged_in" flag. Then, add some code looking for that cookie and when it finds it, it just redirects the user back to the HTTPS version of the site.
Make sure your user can't accidentally drop back into HTTP when on HTTPS when doing sensitive stuff. If they do, they should be sent back to the HTTPS site before moving on or processing a request.
精彩评论