[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Dale Bengston dbengston at tds.net
Wed Sep 15 11:19:50 MDT 2010


This is how I do it. If a site's to be HTTPS, I make that happen on the server side.

Dale

On Sep 15, 2010, at 11:54 AM, Leo R. Lundgren wrote:

> You could also set up the host in the web server configuration so that it forces HTTPS. That way its centrally maintained (instead of in a bunch of PHP files) and there's not much risk that you forget about it in a specific page.
> 
> 
> 15 sep 2010 kl. 18.50 skrev Gareth Evans:
> 
>> I'd hazard a guess that he means if you drop the S from the HTTPS the session is retained, ie. User enters the form via https, php session is initialized, user can drop the S and still fill out the form "unsecured".
>> 
>> If the form is supposed to be only used over https you should add a check for that at the top of the page if you haven't already. Something like the following should do the trick.
>> 
>> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
>> }
>> -- 
>> GARETH EVANS
>> 
>> 
>> > From: Jonathan Schwartz <jschwartz at exit445.com>
>> > Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
>> > Date: Wed, 15 Sep 2010 09:18:05 -0700
>> > To: <fx.php_list at mail.iviking.org>
>> > Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS connections
>> > 
>> > Hi Folks,
>> > 
>> > Putting our security hat on now....
>> > 
>> > "PHP Session ID isn't restricted to HTTPS connections"
>> > 
>> > I received this feedback from an individual regarding a secure web 
>> > form.  I'm not really sure what it is referring to.
>> > 
>> > Any help?
>> > 
>> > Jonathan
>> > -- 
>> > Jonathan Schwartz
>> > Exit 445 Group
>> > jonathan at exit445.com
>> > http://www.exit445.com
>> > 415-370-5011
>> > _______________________________________________
>> > FX.php_List mailing list
>> > FX.php_List at mail.iviking.org
>> > http://www.iviking.org/mailman/listinfo/fx.php_list
>> _______________________________________________
>> FX.php_List mailing list
>> FX.php_List at mail.iviking.org
>> http://www.iviking.org/mailman/listinfo/fx.php_list
> 
> 
> 
> -|
> 
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20100915/13fc1470/attachment.html


More information about the FX.php_List mailing list