开发者

PHP SESSION variables between https and http

I have a website that has a secure area (https) and the rest of the site, which is http. Everything works wonderful using session variables to login on the https side of things, and the secured area is functioning wonderfully.

My issue: I have a "login/register" button at the top of every http page on the site. I would like this to reflect login status and change to "logout" and also ha开发者_运维知识库ve some other logged in buttons that simply redirect to the https pages. I am not trying to manipulate any data or other secured info on the http pages in any way.

In IE8 the https created session variable for login is detected in http (on the home page) and it correctly displays the alternative "log out" link. However, in all other browsers the session variable is not there in http. What is the easiest way to fix this without creating a huge security flaw? Oh, and the urls are the same except for http and https.


One simple way to do it that many sites use is to have the button actually be loaded client-side via a script that makes a request to an HTTPS url to determine whether or not the user is logged in, as opposed to having the HTML for it be part of the HTTP-served page.


If you want to secure session cookie, you want to make sure the browser only send out the cookie in HTTPS. Therefore, any way to figure out login status from HTTP communication is insecure.

I +1 the solution Amber posted.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜