The application I am currently working on is *not* allowed to be connected to over HTTP so the script has to redirect the user to use an HTTPS connection instead.
My problem is that the same session ID value is automatically being used for both connections - my understanding of the way PHP works is that if session.cookie_secure = 1 then it should not send cookies over insecure connections or reuse cookies when switching from HTTP to HTTPS; if I look at the cookie sent over HTTP in my browser it says "Send for: encrypted connections only" but sends it anyway.
I just wrote the following test script, with an explanation of its behavior included below:
Code: Select all
session_start();
$sessionID = session_id();
echo $sessionID;2. If I then call the HTTPS version the session ID *doesn't* change, and persists between page reloads.
3. If I switch back to the HTTP version again the session ID changes, and the behaviour is as for step #1.
I'm not sure if there's some kind of "gotcha" that I'm missing, but only the session ID persistence in HTTPS mode makes sense. Maybe I'm confusing the concept of *setting* a cookie and *sending* it, but if the server is sending the cookie in cleartext with HTTP and is then reusing that value for the HTTPS session, there would seemingly be a security issue there.
The value for session.cookie_secure is being set in the main php.ini file, but I've also tried using session_set_cookie_params() and the behaviour was the same, and the value is set according to the output from phpinfo().
Thanks in advance,
Mecha Godzilla
P.S. I just searched the forums and found that I asked this exact question about 3 years ago and used a workaround on that occasion, but a definitive answer would be nice this time