Re: [PHP] Sessions across subdomains

[Jochem Maas]

Op 1/30/10 2:25 AM, Ben Miller schreef:
> Hi, I've always thought that session data was subdomain specific and would
> not carry over between http://www.mydomain.com and
> https://secure.mydomain.com, but it seems to be working for me now.  Can I
> rely on this and post from http://www.mydomain.com to
> https://secure.mydomain.com and simply pass a hidden input containing
> PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
> at www.  and reset them as _SESSION vars at secure.
>  ? 
> 

1. cookies are shared automatically on SUB domains, so if you set your cookie 
domain
to example.com it will be available at both www.example.com and 
secure.example.com

2. cookies can have a HTTPS flag set which means they will not be shared with 
non-HTTPS
connections.

3. DONT put the contents of $_SESSION on the wire. (given the question you're 
asking I'd
hazard a guess you don't have the skills to sufficiently

4. google/read/search/learn about the security implications of sharing a cookie 
between
HTTPS and non-HTTPS domains.

5. session_regenerate_id() - I would use this if you intend to pass session ids 
around,
although it will probably give you a stack of problems in terms of usability 
(e.g. back button usage),
actually I'd use it any time you log someone in or out or have a user perform a 
particularly
sensitive action.

6. the $_SESSION will only be available on both sites if they are both on the 
same server
and running with the same session ini settings (i.e. session save path, session 
name) - different
servers could obviously be using a shared filesystem or an alternative session 
storage (e.g.
memcached or database server).

7. consider not sharing the session - instead pass just the data that you need 
(e.g. shopping
basket contents etc) and either including a hash of the data (which uses a 
secret string that
is not included in the form/url/etc but that both servers/sites know about 
AND/OR using 2-way
public key encryption on the data that you pass in between the servers/sites

personally for higher end commercial sites I prefer to just to put everything 
on HTTPS
solving all potential issues with sharing a cookie or data between nonHTTPS and 
HTTPS sites,
and everything directly related ... the cost being extra overhead per request - 
but hardware
is cheap and security is difficult to get exactly right.

the biggest names on the web have [had] security loophopes/problems related to 
these issues, and they
generally have tons of man power and some very clever/knowledgable people on 
their teams - which is to say:
your chance (and mine for that matter) of not making any mistakes on this front 
are slimmer than theirs.

> Thanks in advance,
> 
> Ben
> 
> 


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Sessions across subdomains

[Ben Miller]

Hi, I've always thought that session data was subdomain specific and would
not carry over between http://www.mydomain.com and
https://secure.mydomain.com, but it seems to be working for me now.  Can I
rely on this and post from http://www.mydomain.com to
https://secure.mydomain.com and simply pass a hidden input containing
PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
at www.  and reset them as _SESSION vars at secure.
 ? 

 

Thanks in advance,

Ben

[PHP] Sessions across subdomains

[Ben Miller]

Hi, I've always thought that session data was subdomain specific and would
not carry over between http://www.mydomain.com and
https://secure.mydomain.com, but it seems to be working for me now.  Can I
rely on this and post from http://www.mydomain.com to
https://secure.mydomain.com and simply pass a hidden input containing
PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
at www.  and reset them as _SESSION vars at secure.
 ? 

 

Thanks in advance,

Ben