sessions (http -&gt; https)

sessions (http -> https)

devinemke

according to the manual on sessions:

Note: Non-relative URLs are assumed to point to external sites and hence don't append the SID, as it would be a security risk to leak the SID to a different server.

I assume this means only if you are using trans_id and would have no effect on cookie based session propagation. So let's say you have a form that collects sensitive info. The page with the form itself is served up via http but the action tag of that form points to a https page. It seems through my testing my session variables are lost on the resulting secure page even though I am using the default cookie method. what gives? if you call session_start() on the https page shouldn't it map to the cookie that was already started on the http page.

devinemke

I guess my two options are to recreate the whole session using hiddden form variables or to append the session id to the query string:

$url = 'index.php?' . session_name () . '=' . session_id ();