Results 1 to 3 of 3
  1. #1
    Join Date
    Apr 2006

    https to http, sessionid attack?

    I have a 'members' area and a 'public' area on my website (apache2 as the web server). my login page for the members area is protected by ssl and the pages in the members area are all accessed by https.
    Is there a security risk if a 'member' goes from the https member's area to the http public area? Something involving the sessionid, a session id attack?
    Both http and https are served from, not and (if i had 2 different subdomains, the https cookie would not be sent to the http page?)

  2. #2
    Join Date
    Apr 2005
    if its well coded

  3. #3
    Join Date
    Feb 2005
    The session id will transfer across from https to http on the same domain name, so if someone had a network sniffer running I guess they could get hold of it. Not a huge risk but presumably one you're trying to avoid since you're using ssl.

    You could just block access to the members pages on a non-encrypted connection (mod_rewrite SERVER_PORT).

    "Some problems are so complex that you have to be highly intelligent and well informed just to be undecided about them." - Laurence J. Peter

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts