Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I have a problem with passing session variables from http to https.
When they are passed to the Secured Layout they are destroyed.
Can anyone sugest me solution... or i should buy SSL certificate
Thanks in advance
Nice solution.. Thanks
But i have a lot of variables from diferent types, so the database schema will be very complex, and i dont have that time . Can i just pass the session id in the URL. Is that safe?(The session is still living in the http space isnt't it?)
I think this is not safe. The user sould not have a control of the SessionID.
If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.
I think this is not safe. The user sould not have a control of the SessionID.
Cookies can be spoofed by a knowledgable user as easily as request parameters. You need to do additional checks to verify that the session is valid either way.
Zoran_Dimov wrote:If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.
Or i am wrong??
I would recommend against storing like the price in the session. Store the SKU instead and always lookup the price from the datasource.