I'm building an e-commerce site which uses sessions to
hold my $cart object.  This works great but I've two worries:

1) When the user connects through our secure hostname, can I ensure
the browser will send the server the cookie (w/ SESSID)?  The user
will shop through domain.com and checkout via https:secure.domain.com.
(haven't got cert yet)

2) While the user shops the SESSID is thrown around insecurely (no big
deal, just a cart).  But when I move the user to a secure server to
get sensitive info a resourceful hacker could also go to the checkout
script using this SESSID and 'confirm' the real user's personal
details (kept in another registered session object).

If I can't keep the user's details in the old session, can I delete
the old session and copy the cart to a new session?  Should I do this
anytime the user goes back to the insecure site and returns to finish
checking out?

As an alternative, would there be any problems with keeping the IP of
the user in a session variable for further authentication?  I assume
I'd record the IP immediately upon checking in at the secure server
then enforcing this per request.  That way, worst case scenario the
hackers gets a SESSID and heads to checkout first, server restricts
real user from accessing (because of different IP).

This is my first time coding for a secure server and my first post
here as well..

[EMAIL PROTECTED] ** http://mrclay.org

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to