|
-
secure php sessionid
I am having a problem with creating a secure session id for my site. The problem I am having is that I'm on a shared host plan, and when using ssl, the url prefix is different than my domain name. This means if i store my sessionID in a cookie, it'll be a different cookie for my domain and the ssl domain. I could have every page be within the ssl domain, but i dont want to encrypt/decrypt every page. I also dont like the idea of rewriting the sessionID in the url, because that is easily read by others. What I really need is a way to generate the sessionID on everypage and it stay the same throughout the user's visit. IP addresses are easily spoofed, so that's not a good choice.
Thanks for the help.
"I hate when people put quotes in their signatures" -anonymous
-
Hi,
if your domain names share a common suffix (e.g. www.yoursite.uk and secure.yoursite.uk), you can change the cookie domain to a wildcard and so ensure that the session id is available.
However, I would not be absolutely sure that the regular and secure server are indeed running on the same physical server - in fact only one virtual server on any given ip can be ssl, which imposes some restrictions on how a hosting company lays out their servers.
In that case you would have to set up sharing of the session data between two machines as well
One word in favor of a completely secured site: users do not really like these nagging "you are entering/leaving a secure site" prompts
Musicman
-
well, my domain does not share any commonalities with the ssl domain, so that's out. You gave one word in favor of a completely secured site, how many words can you think against it? Also, back to my original idea of generating a sessionID.. What kind of data (maybe in the headers) would be consistent for the same user on multiple pages, but would be unique from another user. I read an article one time that said to use a combination of the ip address and the user_agent and some other stuff and then md5 it to create a session id. Do you think this would be secure enough? I dont think user_agent would help much because 95% of people use IE. Also, my site only deals with small money transactions, does this matter, or make it less likely for an attack?
Thanks
"I hate when people put quotes in their signatures" -anonymous
-
Hi,
I dont see much sense in having a session ID without any session data, so maintaining data over two distinct servers may be a challenge.
There are ways to build even big shops without sessions - flash or javascript can maintain the session data on the client side and thereby avoid the session altogether. Also, if all that the session does is maintaining a logged-in state, sending the same credentials with every request could avoid the session. Again, a flash client might be quite helpful.
In the latter scenario, you would have to invent a system that keeps login names on both servers in sync
Musicman
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|
Reply With Quote