[FX.php List] PHP Session ID isn't restricted to HTTPS connections

Leo R. Lundgren leo at finalresort.org
Wed Sep 15 10:54:07 MDT 2010


You could also set up the host in the web server configuration so that it forces HTTPS. That way its centrally maintained (instead of in a bunch of PHP files) and there's not much risk that you forget about it in a specific page.


15 sep 2010 kl. 18.50 skrev Gareth Evans:

> I'd hazard a guess that he means if you drop the S from the HTTPS the session is retained, ie. User enters the form via https, php session is initialized, user can drop the S and still fill out the form "unsecured".
> 
> If the form is supposed to be only used over https you should add a check for that at the top of the page if you haven't already. Something like the following should do the trick.
> 
> If (!isset($_SERVER['HTTPS']) || $_SERVER['HTTPS'] != 'on') {
>    header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
> }
> -- 
> GARETH EVANS
> 
> 
> > From: Jonathan Schwartz <jschwartz at exit445.com>
> > Reply-To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
> > Date: Wed, 15 Sep 2010 09:18:05 -0700
> > To: <fx.php_list at mail.iviking.org>
> > Subject: [FX.php List] PHP Session ID isn't restricted to HTTPS connections
> > 
> > Hi Folks,
> > 
> > Putting our security hat on now....
> > 
> > "PHP Session ID isn't restricted to HTTPS connections"
> > 
> > I received this feedback from an individual regarding a secure web 
> > form.  I'm not really sure what it is referring to.
> > 
> > Any help?
> > 
> > Jonathan
> > -- 
> > Jonathan Schwartz
> > Exit 445 Group
> > jonathan at exit445.com
> > http://www.exit445.com
> > 415-370-5011
> > _______________________________________________
> > FX.php_List mailing list
> > FX.php_List at mail.iviking.org
> > http://www.iviking.org/mailman/listinfo/fx.php_list
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list



-|

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.iviking.org/pipermail/fx.php_list/attachments/20100915/7761339d/attachment-0001.html


More information about the FX.php_List mailing list