php sessions and security question

wscreate · 2002-12-06T01:48:22+00:00

I have two questions about security. If I pass session variables from page to page while in SSL, is this secure or does the session info get logged insecure...

php sessions and security question

wscreate

I have two questions about security.

If I pass session variables from page to page while in SSL, is this secure or does the session info get logged insecurely somewhere on the server?
If I post from a non-secure page to a secure page, is the data encrypted or is this non-encrypted (see form statement below)?

http://www.site1.com/page1.php ---> https://www.site2.com/formresults.php

Weedpacket

You mean your server's not secure?

PyroX

If I post from a non-secure page to a secure page, is the data encrypted or is this non-encrypted (see form statement below)?

http://www.site1.com/page1.php ---> https://www.site2.com/formresults.php

SOMEONE HAS TO KNOW FOR SURE !

I believe it is not secure.

The logs will not contain any session info, BUT, complete session objects are stored, usually under /tmp/

Weedpacket

I'm pretty sure it is encrypted; cipher negotiation and key exchange and all the rest has to be done first, before any actual requests can be made or responses returned. There's no point having an encrypted channel if you then try and send stuff in clear over it.

wscreate

Thanks. The reason why I want to go from non-secure to secure is because I am using a local page on my PC that contains the form. I do not have SSL on my local PC.

Anyway, thanks for the assistance.

nigel_belanger

It is NOT secure in the example that you listed.

When you initiate a secure connection via SSL, the session is started and continues to be secure.

A suggestion would be to refer to the secure server from your unsecure pc. Basically, point the visitor to the secure link to fill out the form.

That is your BEST option, unless, however, you wanted to do the following:

Create the form on the secure server
Use frames and include that page within your unsecured page.

In that example, atleast the portion WITHIN the frames will be secure. The visitor WILL NOT see the little lock box (in IE) but it will be secure.

Hope this helps!