[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Gareth Evans gareth.evans at schawk.com
Wed Sep 15 10:50:08 MDT 2010


I'd hazard a guess that he means if you drop the S from the HTTPS the
session is retained, ie. User enters the form via https, php session is
initialized, user can drop the S and still fill out the form "unsecured".

If the form is supposed to be only used over https you should add a check
for that at the top of the page if you haven't already. Something like the
following should do the trick.

If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
   header("Location:
https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
}
-- 
GARETH EVANS


> From: Jonathan Schwartz <jschwartz at exit445.com>
> Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
> Date: Wed, 15 Sep 2010 09:18:05 -0700
> To: <fx.php_list at mail.iviking.org>
> Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS connections
> 
> Hi Folks,
> 
> Putting our security hat on now....
> 
> "PHP Session ID isn't restricted to HTTPS connections"
> 
> I received this feedback from an individual regarding a secure web
> form.  I'm not really sure what it is referring to.
> 
> Any help?
> 
> Jonathan
> -- 
> Jonathan Schwartz
> Exit 445 Group
> jonathan at exit445.com
> http://www.exit445.com
> 415-370-5011
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20100915/42d7e2ce/attachment.html


More information about the FX.php_List mailing list