Geek Answers Handbook

Php access session data between https and http

Thank you for your responses. I updated my PHP session code.

I have (https) -login.php which remains https, i.e. after the user logs in to the account. Now the problem is that the user who logs into the control panel clicks on the (HTTP) -about-us.php page, the session is not transmitted via HTTP, because I have session.cookie_secure = 1, due to which the user logs out system. However, when the user returns to the dashboard page, does he also go to HTTPS?

I believe that I am missing something that causes this problem. Here is my code:

This is the header file PHP require () ed to start the session, that is, on the login.php page:

session_start(); session_regenerate_id(true); /*avoid session fixation attempt*/ /*Create and check how long session has been started (over 5 mins) regenerate id - avoid session hijack*/ if(!isset($_SESSION['CREATED'])) { $_SESSION['CREATED'] = time();/*time created session, ie from login/contact advertiser/email_confirm only ways for new session to start*/ } elseif(time() - $_SESSION['CREATED'] > 300) { /*session started more than 5 mins(300 secs) ago*/ session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/ $_SESSION['CREATED'] = time(); /*update creation time*/ } /*Check if user is logged in*/ if(!isset($_SESSION['loggedin'])) { $_SESSION['loggedin']=1;/*used to track if user is logged in on pages*/ } /*if return false browser supports standard ob_start();*/ if(ob_start("ob_gzhandler")){ob_start();}

This PHP header file requires () ed on each page to check if the session is running:

 session_start(); $session_errors=0;/* if>0 user not logged in*/ /*check if session is already initiated*/ if(isset($_SESSION['CREATED'])) { if(time() - $_SESSION['CREATED'] > 300) { /*session started more than 5 mins(300 secs) ago*/ session_regenerate_id(true); /*change session ID for the current session and invalidate old session ID*/ $_SESSION['CREATED'] = time(); /*update creation time*/ } } elseif(!isset($_SESSION['CREATED'])){$session_errors++;}/*user not logged in*/ /*Check if user is logged in*/ if(!isset($_SESSION['loggedin'])){$session_errors++;}/*user not logged in*/ if(ob_start("ob_gzhandler")){ob_start();}

Also, if used, this is the code to enable HTTPS on non-sensitive pages like about-us.php

 if ($_SERVER['SERVER_PORT']!=80) { $url = "http://". $_SERVER['SERVER_NAME'] . ":80".$_SERVER['REQUEST_URI']; header("Location: $url"); }

Thanks again for the help guys daza166

+7
source share
2 answers

If you use ini_set('session.cookie_secure',1); , a cookie with a session ID will only be sent to the server if the connection is encrypted. Therefore, if you force the user to access about-us.php through an insecure http connection, your script will not receive a cookie and it will appear as the login user on the page. You will not be able to access any session variables.

However, neither the cookie on the client nor the session data on the server are deleted. Thus, if the user visits the encrypted page of your site later (during the validity of the session and cookie), the still existing cookie with the session ID is transferred and it will no longer need to log in. In short, switching from HTTPS to HTTP and vice versa will not lead to a logout. If you donโ€™t need to check the user's login status on an unencrypted page, setting cookie_secure is a good idea.

To your other questions: in my opinion, checking the user agent does not significantly increase the level of security, because a hacker who can get someoneโ€™s session identifier will not have many problems getting his user agent, a string. Verifying the identifier makes sense, but can cause problems if ip users change frequently due to reconnecting or changing proxies.

+2
source

It looks like you are asking a few different questions here, but for this:

I was wondering if there was any reason to really check the user agent / IP, etc., since although this will reduce the chances of hijacking, this is just a comparison of $ _SESSION == $ _ SESSION ie (www.domain.com/login. php? hacker = no)

If you ask why people compare session variables with what is sent, the answer is that the variables stored in $_SESSION were defined at the beginning of the session, that is, when the user logged in, presumably before the hijacking. (The hijacker can only capture an existing session, and this session could start without the hijacker participating.) Because of this, if we regularly compare the user agent string or IP address provided with the page request, which we saved from the very beginning of our session, we can detect the capture (assuming that the hijacker has a different line / IP address of the user agent).

I do not know the answer to your HTTPS question.

+2
source

More articles:


All Articles