2

I'm using Symfony2, but this is probably just a PHP question.

  1. Based on my understanding (please correct if I am wrong) if I set the session cookie to secure then the cookie only gets sent on secure connections. So on non-secure connections the server in fact can't remember anything based on the user visit. I just want to confirm my understanding on this.

  2. Is it possible to have two session cookies? One for all protocols to store session data that isn't secure (e.g. isn't a user authentication/login) and the second session would be secure-only and handle the login authorisation.

    I know I could set a local cookie for the odd non-secure thing, but I'm really looking at being able to use $_SESSION twice (One for all and one for https-only).

    I feel that using secure cookie is essential for user authentication/login, but I also would like to be able to have some form of session on non-secure pages too.

  3. Does Symfony2 do anything in particular as to any of this? I know it handles sessions quite well through its in-built classes, but does it do anything particular in terms of using secure cookies?

4

1 に答える 1

3

For (1) - Yes, you're correct

For (2) - you can have 2 separated $_SESSION (secured and unsecured ones) communicate with each other by passing SessionID in your query string (probably with some hash protection to avoid the naughty users). Some more information here Session lost when switching from HTTP to HTTPS in PHP and Switching between HTTP and HTTPS pages with secure session-cookie

As recommended in the threads, if possible, you can also make your life easier by considering to make your page HTTPS

For (3) - I'm not an expert in Symfony2 but quick look through the documentation, it doesn't have any particular tool for you to use in this case, except the support to set if you want your cookie secured or not

于 2013-03-23T11:47:56.013 に答える