0

I am setting up a shopping cart website however I am having issues with sharing PHP Sessions between HTTPS and HTTP.

My secure address: https://secure.domain.com My regular address: http://domain.com

I had read some pages here on serverfault and concluded a solution myself. I would like to know if my solution is secure and practical.

My solution: 1: On new session, save PHP Session ID, User IP, and ID (randomly generated 6 digit number and saved to clients computer as cookie) to database 2. When client goes into HTTPS page. The page checks the database for matching ID and IP address for the PHP Session ID.

If you have a better solution, please share

thank you

cs378
  • 123
  • 1
  • 1
  • 7
  • 2
    `If you have a better solution` - **Stop using an http only site.** Do everything in https, then you won't have to worry about any session sharing. – Zoredache Jan 29 '15 at 00:27
  • @Zoredache doesn't SSL on an entire site create a lot of overhead? Most sites only use SSL for login/checkout pages. This site doesn't even use SSL everywhere. – Nate Apr 01 '15 at 21:15
  • @Nate, by most sites, you mean badly secured sites? Check out Google, Facebook, Amazon, and almost every major bank. You use https for everything. Stackexchange is a poor example. It has basically no money transactions, no personal information, everything is public, and almost everything can easily be reverted. Anyway, this link showed up in my feed today, go read through it. Be sure to read the stuff after the "April Fools" reveal. - https://stormpath.com/blog/why-http-is-sometimes-better-than-https/ – Zoredache Apr 02 '15 at 00:03

1 Answers1

2

The problem with this solution is that any authentication data, including the session ID and random user ID, that you send over HTTP can be stolen off of the wire. See Session hijacking.

There are two viable solutions:

  1. Make the entire site HTTPS-only.

  2. Allow HTTP, but redirect the user to HTTPS before you allow them to log in. Then make any session cookies HTTPS-only, so if the user does switch back to HTTP, their session data won't be sent in the clear.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
  • Thank you for you reply and made me realize where my mistake was. How does big companies like Amazon do their session sharing? – cs378 Jan 30 '15 at 01:16