发表新帖
发表新帖

PHP session HTTP to HTTPS problem

后端 未结
关注
2 604
我寻月下人不归
我寻月下人不归 2020-12-16 17:23

I have a (HTTPS) login.php page which remains HTTPS (ie once user logged in goes to account dashboard). Now the problem is say the user whilst logged on to the secure dashbo

相关标签:
2条回答
  • 夕颜
    2020-12-16 17:40

    Answered to help people who might stumble across this

    As the the answer at Session lost when switching from HTTP to HTTPS in PHP has concluded, since you are using session.cookie_secure = 1 the cookie that contains the session ID is not transferred when the connection switches from HTTPS to HTTP. At HTTP connection, when you session_start(), PHP creates a new session id, which replaces the previous session id.

    The answer also suggests a solution, pass the session id using query string, which is then picked up by the page. This smells of bad of security flaw. Don't forget the reason why we used HTTPS in the first place!

    So the solution I suggest to you is that you redirect all http request to https counterparts. Use HTTPS for everything in your site, from css, images, to mundane static html pages. This is actually something that every application that is serious about security does. For example, visiting github page using HTTP will return:

    HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.67
Date: Sun, 08 May 2011 15:43:01 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: https://github.com/

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/0.7.67</center>
</body>
</html>

    Remember why you used HTTPS in the first place, if you want to be totally secure, use HTTPS for everything.

    Detect if the request is HTTPS or not (See this question) at bootstrap.

    If the request is HTTP, either redirect all requests to HTTPS home page, or you can try parsing $_SERVER['REQUEST_URI'] and redirecting HTTP request to their HTTPS counterpart using parse_url and http_build_url.

    Second Alternative Solution

    If you really really don't want to use HTTPS for everything, then don't session_start() on pages that are accessed with HTTP. Secure cookies will be retained when you do this.

    Third Alternative Solution

    The other solution is to try and detect the user by IP addresses and user agent. This is not guaranteed to be accurate, so what I suggest is just use HTTPS for everything. Paypal, for example, always use HTTPS even for mundane static pages.

    0 讨论(0)
  • 青春惊慌失措
    2020-12-16 17:56

    The description by @rickchristie is good, but I think there's a better solution that he doesn't suggest. If you don't always want to use HTTPS (which does make sense sometimes; the about_us page doesn't need to be secure), you can follow the advice on the session_start page and use named sessions to continue a previous session. This is simple to use; just include the session_start calls with

    session_name("MySession"); // replace with whatever makes sense
session_start();

    on all secure pages.

    0 讨论(0)
 看不清?
提交回复
热议问题