Sessions across subdomains

------=_NextPart_000_0166_01CAA110.76CC0030
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hi, I've always thought that session data was subdomain specific and would
not carry over between http://www.mydomain.com and
https://secure.mydomain.com, but it seems to be working for me now. Can I
rely on this and post from http://www.mydomain.com to
https://secure.mydomain.com and simply pass a hidden input containing
PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
at www. and reset them as _SESSION vars at secure.
?



Thanks in advance,

Ben


------=_NextPart_000_0166_01CAA110.76CC0030--

Re: Sessions across subdomains

Op 1/30/10 2:25 AM, Ben Miller schreef:
> Hi, I've always thought that session data was subdomain specific and would
> not carry over between http://www.mydomain.com and
> https://secure.mydomain.com, but it seems to be working for me now. Can I
> rely on this and post from http://www.mydomain.com to
> https://secure.mydomain.com and simply pass a hidden input containing
> PHPSESSID, or do I need to pass each key=>value pair that _SESSION contains
> at www. and reset them as _SESSION vars at secure.
> ?
>

1. cookies are shared automatically on SUB domains, so if you set your cookie domain
to example.com it will be available at both www.example.com and secure.example.com

2. cookies can have a HTTPS flag set which means they will not be shared with non-HTTPS
connections.

3. DONT put the contents of $_SESSION on the wire. (given the question you're asking I'd
hazard a guess you don't have the skills to sufficiently

4. google/read/search/learn about the security implications of sharing a cookie between
HTTPS and non-HTTPS domains.

5. session_regenerate_id() - I would use this if you intend to pass session ids around,
although it will probably give you a stack of problems in terms of usability (e.g. back button usage),
actually I'd use it any time you log someone in or out or have a user perform a particularly
sensitive action.

6. the $_SESSION will only be available on both sites if they are both on the same server
and running with the same session ini settings (i.e. session save path, session name) - different
servers could obviously be using a shared filesystem or an alternative session storage (e.g.
memcached or database server).

7. consider not sharing the session - instead pass just the data that you need (e.g. shopping
basket contents etc) and either including a hash of the data (which uses a secret string that
is not included in the form/url/etc but that both servers/sites know about AND/OR using 2-way
public key encryption on the data that you pass in between the servers/sites

personally for higher end commercial sites I prefer to just to put everything on HTTPS
solving all potential issues with sharing a cookie or data between nonHTTPS and HTTPS sites,
and everything directly related ... the cost being extra overhead per request - but hardware
is cheap and security is difficult to get exactly right.

the biggest names on the web have [had] security loophopes/problems related to these issues, and they
generally have tons of man power and some very clever/knowledgable people on their teams - which is to say:
your chance (and mine for that matter) of not making any mistakes on this front are slimmer than theirs.

> Thanks in advance,
>
> Ben
>
>


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php