Quote:
Originally Posted by colk
I see an issue the cookie has to be valid for both the http side and the https , otherwise when you switch to http after logging in you will get stuck in a login loop. One way to accomplish this is to have the cookie set via http point to the https id using a secure identifier (ie salt etc). The main issue is the cookie for http will be passed in clear text over the wire so whatever info you put into it cannot be used to login directly to the site if someone yanked the cookie. Also, you should look into separating your HTML and php using something like smarty. (Just a suggestion makes the code look clean)
|
I'll look into the smarty thing, I do enjoy clean code.
I think you misunderstood, there is a php session cookie that works over http and https that is responsible for actually being logged in, the https hash cookie (snickers to himself) is only responsible for reauthentication which is done over https.
If there's confusing or poorly explained language in my article I would love feedback to make it more clear.
EDIT: I have added a link to my live implementation in part 1