SSL Auth &amp; Sessions

SSL Auth & Sessions

djroki

Ive been developing an auth script which uses PHP Session vars to verify that the user is logged in.

It works fine as long as it's either SSL or non-SSL throughout, but I know that sessions can be hi-jacked and I've recently come across a major problem which makes using Sessions possibly totally impractal.

To put it simply:

User logs in on an SSL encrypted gateway page.
User is redirected to non-SSL admin area (sessions are lost at this point due to URL being different)
User is redirected back to the gateway page because the sessions don't exist.

The user needs to be able to surf a protected area without SSL as this is a shared certificate and speed is poor. I could simply pass the session data and start a new session for the non-SSL space, but this would be leave an obvious weakpoint in the whole system.

Can anyone suggest an alternative to using sessions (and ideally not cookies either) which will allow my users to remain logged in throughout both areas?

thanks in advance, roki

hand

Let the user log in on an SSL encrypted gateway page. In the case login is successful, you can save save some information to a database indexed by a random key, users ip, a timestamp, ...

Redirect the user to the non SSL admin area using the random key.
header ("Location: http://www.example.com?id=afuklsdzxmr78n4i7pn898cp957n0c58");

There you can check if a record with the random id exists in the database. If it exists, then you could check the ip, ....

If all checks are successful, you can delete the db record and continue with defining your session variables.

djroki

Hand, thanks a lot - you're right!

I'd started to take a similar route using a text file with a unique name although I'm still a little unhappy with using PHP sessions without SSL...

Regardless the current problem is solved 🙂

thanks again, roki