Simple HTTPS question

[johnsmith153]

Very simple:

 

Obviously if you are posting sensitive data to a server, you should really use https.

 

What about just when the user is only viewing their sensitive data? Does this need https?

 

I.e the user is selecting to view their email / home address etc. Does this need https? (dbase returns info then passes to the browser)

 

Obviously, when they then enter and submit changed details, this obviously should then have https.

[CroNiX]

Viewing sensitive data and posting it are the same thing as far as needed encryption.  Anytime sensitive data is going either to or from the server it should be encrypted as the packet can be sniffed either way.

[johnsmith153]

So if I store sensitive data in a $_SESSION, then this is fine to move around the site using http (viewing basic news articles etc.), but the minute I "echo the $_SESSION", that page needs to be with https also?

 

Is this right also?

[ratcateme]

yea pretty much

 

Scott.

[discomatt]

Any data you transfer between the client and the server is sent in plain text... unless you're using SSL. This includes session cookie data. Possible session hijack with an idle user.

 

If it's important, its worth 100 bucks a year for SSL