I am setting up a shopping cart website however I am having issues with sharing PHP Sessions between HTTPS and HTTP.
My secure address: https://secure.domain.com My regular address: http://domain.com
I had read some pages here on serverfault and concluded a solution myself. I would like to know if my solution is secure and practical.
My solution: 1: On new session, save PHP Session ID, User IP, and ID (randomly generated 6 digit number and saved to clients computer as cookie) to database 2. When client goes into HTTPS page. The page checks the database for matching ID and IP address for the PHP Session ID.
If you have a better solution, please share
thank you
The problem with this solution is that any authentication data, including the session ID and random user ID, that you send over HTTP can be stolen off of the wire. See Session hijacking.
There are two viable solutions:
Make the entire site HTTPS-only.
Allow HTTP, but redirect the user to HTTPS before you allow them to log in. Then make any session cookies HTTPS-only, so if the user does switch back to HTTP, their session data won't be sent in the clear.