I am trying to protect my sessions. While doing some research, I thought that the random PHP-agent PHPSESSID + hash based on the agent and IP code is good enough to protect against theft. What else can you do, really.
I use HTTPS for login. As I understand it, session data from PHP is never sent to the user, but rather is stored on the server side. The client receives the session-only identifier. The session data contains the actual webapp user session, which, in turn, is used to verify that the login is correct. All beautiful and dandy.
However, there is a detail that I cannot find anywhere else. I would like to know if a cookie containing the PHP session id will be automatically marked as safe if I use HTTPS. I did some google searches, but didn't seem to get the correct search bar, because I only find ways to manually send cookies. I would like to know, because if this cookie is sent with clear text, it may compromise some security through man-in-the-middle.
EDIT 1
This add-on is for @ircmaxell
I tried my method, but somehow I still get the cookie when I switch from HTTPS to HTTP. How it should work is as follows. Whenever the server knows that a user session is available, it sets a safe flag. This means that the whole site runs on SSL as soon as you are logged in and refuses to give / use a cookie when you are not using SSL. Or at least this idea.
if ($SysKey['user']['session_id'] != '') { session_set_cookie_params(60*60*24*7, '/', $SysKey['server']['site'], true, true); }
I assume that I need to restore the identifier, since the browser already had a cookie before logging in, but since I can only try it in a few hours, I will ask here before trying
NOTES TO THE DECISION
I just found out that you should set these parameters before starting a session. That was my problem. Now I use two different cookies. One for the regular guest who is sent via http, and the second for registered users who are sent only through ssl.