session variables ftom http to SSL

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Zoran_Dimov
Forum Newbie
Posts: 16
Joined: Wed Jun 21, 2006 6:10 pm
Location: Macedonia
Contact:

session variables ftom http to SSL

Post by Zoran_Dimov »

I have a problem with passing session variables from http to https.
When they are passed to the Secured Layout they are destroyed.
Can anyone sugest me solution... or i should buy SSL certificate :(
Thanks in advance
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

You can save the data to the database, then pass a key along with the url, and use the key to pull the data back out of the database.
Zoran_Dimov
Forum Newbie
Posts: 16
Joined: Wed Jun 21, 2006 6:10 pm
Location: Macedonia
Contact:

Yes but...

Post by Zoran_Dimov »

Nice solution.. Thanks
But i have a lot of variables from diferent types, so the database schema will be very complex, and i dont have that time :? . Can i just pass the session id in the URL. Is that safe?(The session is still living in the http space isnt't it?)
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I think if your storing your sessions in the database you could pass the session id in the url, but if not your probably out of luck in that regard.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

The simplest way is to pass the session id in the URL like:

Code: Select all

https://sslsite.com/sslpage.php?PHPSESSID=1234567890
http://mysite.com/mypage.php?PHPSESSID=1234567890
(#10850)
Zoran_Dimov
Forum Newbie
Posts: 16
Joined: Wed Jun 21, 2006 6:10 pm
Location: Macedonia
Contact:

SAFE??..

Post by Zoran_Dimov »

PHPSESSID=1234567890

I think this is not safe. The user sould not have a control of the SessionID.
If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.

Or i am wrong??
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: SAFE??..

Post by Christopher »

Zoran_Dimov wrote:PHPSESSID=1234567890

I think this is not safe. The user sould not have a control of the SessionID.
Cookies can be spoofed by a knowledgable user as easily as request parameters. You need to do additional checks to verify that the session is valid either way.
Zoran_Dimov wrote:If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.

Or i am wrong??
I would recommend against storing like the price in the session. Store the SKU instead and always lookup the price from the datasource.
(#10850)
bike5
Forum Newbie
Posts: 6
Joined: Mon Jul 03, 2006 7:31 pm

Post by bike5 »

Back to storing info in the database you *might* be able to use serialize to wrap up all the variables and such to store in one table column

http://us3.php.net/serialize
Post Reply