3

I want to limit the use of phpsessid cookie only for secure connections during administrator sessions, but allow phpsessid on unsecure connections for normal users. session_set_cookie_params needs to be called each time the script is run before calling session_start(), but i need to call session_start() first to check the session data that tells me if the user is admin or not.

I want to have pages that are only accessible through https (admin panels, logins, etc) and the rest of the site (articles, etc) available through normal connections for normal users and only through secure connections for administrators. So that the administrator's sid is never exposed; exposing the sid and relying only on IP,user-agent,etc checks is not enough. Important transactions would be password protected but it's impossible to it with all transactions, would be to pesky.

dhinchliff
  • 1,106
  • 8
  • 17
  • possible duplicate of [Set httpOnly and secure on PHPSESSID cookie in PHP](http://stackoverflow.com/questions/6821883/set-httponly-and-secure-on-phpsessid-cookie-in-php) – Cheekysoft Jun 22 '12 at 07:47

2 Answers2

2

In PHP you set the session.use_only_cookies and the session.cookie_secure configuration options. This can be done at runtime or in your php.ini. cookie_secure is an awful name, but it tells the client that this cookie must always be transmitted over https.

rook
  • 66,304
  • 38
  • 162
  • 239
1

An easy approach might just be to use session_name() and set the name of the session. Then, only start the "admin session" on the pages that are admin pages and HTTPS.

Brian
  • 6,910
  • 8
  • 44
  • 82
  • 1
    Thanks. I've been trying it, seems to work. Some things to take into account: 1) On every run, before session_start() you need to check if the admin session cookie is present and call session_name(admin_session_name) if so. 2)On login logout: call session_regenerate_id(true), session_write_close(), if session_name changes (set_session_cookie_params, unset the previous session cookie, call session_name with the new session name), finally call session_start() – dhinchliff Jun 22 '12 at 01:57
  • glad it pointed you in the right direction. Please mark the question as answered if your issue is solved. – Brian Jun 22 '12 at 17:50
  • Interesting, but not the best solution. – rook Jun 22 '12 at 23:33
  • Going over this some time later, now I notice I went this way because the docs say set_session_cookie_params needs to be called on every script run before session_start(). But the way I ended up doing it I just call set_session_cookie_params on login/logout if the session type (normal or admin) changes, and it works. Seems there is something wrong in the docs. – dhinchliff Aug 10 '12 at 01:46
  • I still find using a different session name for admins useful. If not, after logging in as admin, requesting any standard http url you get a new not secure cookie that will replace the previous one, and your browser looses track of the admin session id. I also check I never receive the admin session cookie through a not secure connection, it's not in vain, this way I found firefox will incorrectly send the secure cookie over a non secure connection if you are on a https page and you rub out the 's' and hit enter; not if you type a new url or follow a http link. No problem with other browsers. – dhinchliff Aug 10 '12 at 02:04