Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Secure sessions with PHP

Saturday, July 28th, 2012 by Servage

When working with sessions in PHP, you basically rely on the client sending a session ID wirth every request, so you can uniquely identify the particular user. This usually works with cookies.

Session IDs have a few things about them, which make them tricky to work with. First of all, the sessione engine has to create and maintain session file (or stored in another data source), but thankfully this is usually done automatically for us, for example by the PHP session handler. Also the cookie creation and retrieval of session ID is usually done by PHPs magic.

So, whats the problem here then? Well, the whole session issue starts to become complicated, when your look at HTTPS vs HTTP requests. You generally don’t want secure session IDs to be transferred insecurely, but you also don’t want to hold two separate sessions, if the user is accessing your frontend via HTTP and the abckend via HTTPS. This could result in lost information, settings, or whatever else you may store in the session.

For this purpose I have come up with a secure session handler concept, which creates and maintains a session only on HTTPS request, while maintaining another session on all requests (both HTTP and HTTPS). This way you can decide which data is required to be secure, and which isn’t, and store it accordignly. This way you can have access to some data always, and private data only on HTTPS.

Look at the following code, which is a PHP class you can implement on HTTPS requests.

Secure sessions with PHP, 5.0 out of 5 based on 5 ratings
Categories: Tips & Tricks

Keywords:

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.