envexlabs Posted July 7, 2008 Share Posted July 7, 2008 Hey, I'm creating a secure cart which relies on session_id to grab the cart contents. Is there a way to carry over the session id when the user switches over to https from http? Thanks, envex Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/ Share on other sites More sharing options...
lemmin Posted July 7, 2008 Share Posted July 7, 2008 I would guess that if you have the same session_save_path() set for the https and the http site that you could post the session_id to the http one and manually set session_id to that value and the session would stay the same. I could be wrong, but that is what I would try. Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583597 Share on other sites More sharing options...
envexlabs Posted July 7, 2008 Author Share Posted July 7, 2008 I'm not exactly sure where to start with that?! Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583607 Share on other sites More sharing options...
lemmin Posted July 7, 2008 Share Posted July 7, 2008 Are your https and http servers on different computers? Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583617 Share on other sites More sharing options...
PFMaBiSmAd Posted July 7, 2008 Share Posted July 7, 2008 The purpose of paying for an SSL certificate and using https is so that your visitor's connection to your site is secure, so that someone cannot steal information about the visitor, such as a session_id, and impersonate him to allow them to either see or change information the real visitor has access to. By passing a session_id that was created under https over a http connection, you are defeating the purpose of getting an SSL certificate and using https. If you have any information that is important enough to use https for, then you should only use https for the duration of that visit to your site. This is why browsers keep separate cookies for https and http connections and won't pass them when changing back and forth between protocols. Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583621 Share on other sites More sharing options...
lemmin Posted July 7, 2008 Share Posted July 7, 2008 There are a lot of websites that go through https only for the login. For example, while logging into Facebook.com, watch the status bar and you will see the ssl symbol appear for a second while it reroutes. Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583649 Share on other sites More sharing options...
discomatt Posted July 7, 2008 Share Posted July 7, 2008 There are a lot of websites that go through https only for the login. For example, while logging into Facebook.com, watch the status bar and you will see the ssl symbol appear for a second while it reroutes. So the actual user/pass submission is not done via HTTPS? Kinda defeats the purpose IMO Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583668 Share on other sites More sharing options...
PFMaBiSmAd Posted July 7, 2008 Share Posted July 7, 2008 I'm creating a secure cart This is not a facebook type of application. Being able to impersonate a member on facebook does not have the financial liability involved with being able to impersonate a person in a shopping cart. Link to comment https://forums.phpfreaks.com/topic/113583-carrying-over-session-id/#findComment-583683 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.