I am having some problems understanding what I need to do to safely deal with variables being passed between http and https sections of a site I am working on. Both areas are on the same server. I understand that the session variables will NOT pass between the two areas for obvious reasons.
What I am currently doing is logging the user into the site on a non-secure form, once this is done correctly, a number of session variables are created, the user can navigate round the site based on these session variables. They can also click a link to edit their details etc. The session variables for example are firstname and email address. So it always says at the top of all pages...Hello Bob...Since the email address is the unique part of a users details that is also kept in a session variable.
I have also changed this to work in a https environment, but then I can't see these session variables in the non-secure area.
What I want to do is to make the log in and and an edit personal details session be done in the secure https environment. The session data however is different than the non-secure http area, so the session data is lost when moving between each area. I still want to be able to keep track of the user while in this non-secure area and allow them to keep using the same session data.
How do I move between the two states? What is the generally accepted safe way of doing this?
I don't really want to use cookies to do this. I know I could store the session data in a database but there would still be some kind of randomly generated variable put in the database as an alternative to the session id but I am still at a loss as to how to identify the user when moving between http and https?
Thanks for any help and advise.
Start Free Trial
