PHP Session sharing between HTTP and HTTPS

httpsPHPsession

I am setting up a shopping cart website however I am having issues with sharing PHP Sessions between HTTPS and HTTP.

My secure address: https://secure.domain.com
My regular address: http://domain.com

I had read some pages here on serverfault and concluded a solution myself. I would like to know if my solution is secure and practical.

My solution:
1: On new session, save PHP Session ID, User IP, and ID (randomly generated 6 digit number and saved to clients computer as cookie) to database
2. When client goes into HTTPS page. The page checks the database for matching ID and IP address for the PHP Session ID.

If you have a better solution, please share

thank you

Best Answer

The problem with this solution is that any authentication data, including the session ID and random user ID, that you send over HTTP can be stolen off of the wire. See Session hijacking.

There are two viable solutions:

Make the entire site HTTPS-only.
Allow HTTP, but redirect the user to HTTPS before you allow them to log in. Then make any session cookies HTTPS-only, so if the user does switch back to HTTP, their session data won't be sent in the clear.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Best Answer

Related Solutions

nginx HTTPS – How to Serve HTTPS with Same Config as HTTP

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Related Topic