Reputation: 1631
HTTPS session cookie and post security with PHP
I am using https with php and have a few security questions:
+I saw this link:
"secure" parameter in session_set_cookie_params
Does this mean even though the secure flag is set with a cookie, it only lets the client pass it to a https address? If the cookie contains the session_id, should I encrypt it before sending from the server and then decrypt it when receiving it?
+When I login to a https address from a https page, firefox shows the plain text password in POST data. Is this a security risk? Also can I put the form on a regular http page without a security risk?
UPDATE: what I'm trying to do is prevent session hijacking. Should I just not send any cookies containing session_ids over http? It's a kohana script I'm working on and it seems to start the session even if not logged in. I'm thinking of checking for https before session_start();
Upvotes: 0
Views: 416
Answers (1)
Reputation: 598
You can securely submit data from a form accessed via HTTP, as long as the POST action submits to an HTTPS URL.
Putting the form on an HTTPS page is a best practice for feel good reasons for the user, because people may be skeptical of submitting secure information in a form if page displaying the form does not show that they are connected via HTTPS.
Upvotes: 1
Related Questions
- How to secure cookies in php?
- Session_start Security
- Cookies security
- Securing session and cookies
- Security in php session cookies
- User authentication- Security risk passing session cookie over HTTP?
- Security concern when I transfer cookie session from HTTPS to HTTP
- Are the cookies for PHP sessions secure?
- Secure cookies in PHP sessions
- secure sessions/cookies in php