PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Thu Oct 29, 2020 8:29 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post subject: SSL sessions to Non-SSL
PostPosted: Wed Jul 13, 2011 6:45 pm 
Offline
Forum Newbie

Joined: Wed Jul 13, 2011 2:39 pm
Posts: 13
Is it possible to carryover a SSL session to a non-SSL page?

For example, my SSL host is https://secure.mydomain.com

and after the person logs in, I want them to get back to http://www.domain.com and display their name and/or username. They can also go back to the https:// site to update their contact info, submit payment, etc. How can I call the same session and session variables from a different subdomain and also being non-SSL?

What security issues does this impose, if any? The password would be stored as sha512


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 5:05 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 10:36 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Mon Aug 08, 2011 2:44 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
I missed the different domains first time round :|

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Tue Aug 09, 2011 3:12 am 
Offline
Forum Regular
User avatar

Joined: Wed Apr 30, 2008 2:34 am
Posts: 794
Why not just using https://www.domain.com all the time?


Top
 Profile  
 
PostPosted: Tue Aug 09, 2011 10:31 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Wed Aug 10, 2011 11:00 pm 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California
I guess the amount of trouble worth it depends on how much of your site requires security. For example, if you browse around on a Google Code project, you're just on HTTP. But if you go from there to your Google Code Profile, it sends you to HTTPS. In that situation it's clear that you wouldn't want it to always be on HTTPS. You could have one session with a cookie for HTTP, and one with a cookie for HTTPS. The one on HTTP never contains personal data, that way it can't be accidentally leaked through sloppy code. Is that a valid option?


Top
 Profile  
 
PostPosted: Thu Aug 11, 2011 12:14 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Thu Aug 11, 2011 2:46 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Thu Aug 11, 2011 9:45 am 
Offline
Forum Regular
User avatar

Joined: Wed Mar 05, 2008 11:23 pm
Posts: 732
Location: Sunriver, OR


Top
 Profile  
 
PostPosted: Thu Aug 11, 2011 10:27 am 
Offline
DevNet Master
User avatar

Joined: Thu Mar 15, 2007 6:28 pm
Posts: 2765
Location: Redding, California


Top
 Profile  
 
PostPosted: Thu Aug 11, 2011 3:20 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
:) Thanks for the explanation

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group