johnsmith153 Posted September 17, 2008 Share Posted September 17, 2008 Very simple: Obviously if you are posting sensitive data to a server, you should really use https. What about just when the user is only viewing their sensitive data? Does this need https? I.e the user is selecting to view their email / home address etc. Does this need https? (dbase returns info then passes to the browser) Obviously, when they then enter and submit changed details, this obviously should then have https. Quote Link to comment Share on other sites More sharing options...
CroNiX Posted September 17, 2008 Share Posted September 17, 2008 Viewing sensitive data and posting it are the same thing as far as needed encryption. Anytime sensitive data is going either to or from the server it should be encrypted as the packet can be sniffed either way. Quote Link to comment Share on other sites More sharing options...
johnsmith153 Posted September 17, 2008 Author Share Posted September 17, 2008 So if I store sensitive data in a $_SESSION, then this is fine to move around the site using http (viewing basic news articles etc.), but the minute I "echo the $_SESSION", that page needs to be with https also? Is this right also? Quote Link to comment Share on other sites More sharing options...
ratcateme Posted September 17, 2008 Share Posted September 17, 2008 yea pretty much Scott. Quote Link to comment Share on other sites More sharing options...
discomatt Posted September 17, 2008 Share Posted September 17, 2008 Any data you transfer between the client and the server is sent in plain text... unless you're using SSL. This includes session cookie data. Possible session hijack with an idle user. If it's important, its worth 100 bucks a year for SSL Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.