sessions help

[weee]

Hello everyone,

 

By default when someone comes to my site, it is the unencrypted web page (http://www.mydomain.com).  I recently purchased a ssl certificate so when a user logs in, their password is encrypted (Posted to https://mydomain.com).  Once the form is posted, the session is set and the header("Location: http://www.mydomain.com"); function is executed to bring them back to the unencrypted version of the site.  However, now when a user tries to login, my site seems to drop the session when the location is set to the unencrypted version of the site.

 

How do sites go about using a secure login form and running on the regular version of the site?

 

Thanks!

weee

[PFMaBiSmAd]

See this thread - http://www.phpfreaks.com/forums/miscellaneous/can-i-pass-sessions-from-an-ssl-to-regular-url/

[weee]

So what do I do if I cannot post the session id in the url?

[PFMaBiSmAd]

Don't attempt to pass session id's back and forth between HTTPS and HTTP connections, it is not secure.

 

The person most likely to be monitoring your TCP/IP data packets is someone with access to the wired network or an unencrypted wireless connection that you are using. They can impersonate your computer perfectly, all the way down to the IP address that the server sees (because they connect to the server from the same network you are on) and if they get your session id when it is sent back and forth over a non-HTTPS connection, they can do anything on the server that you are permitted to do when you are logged in.