Welcome to WebmasterWorld Bigfunkychief,

>> due to url change

exactly, the way I have done this is to post data across, use a database to manage the sessions and then you should be able to do it

my question though

if you need https for login, why are ou then sending them to a non secure portion afterwards?

Thanks for the reply...

So, I want the login information (username/password) to be encrypted over SSL, but then after that, the data isn't super sensitive, so I don't need that encrypted.

Could you expand a little futher on your method to write the session data to a database? I think I understand what you mean, but have no idea where to begin with something like that. I'm guessing it has to do with the SID?

Thanks!

you use the db to manage the session ids not the session data itself.

steps could be something like

1. show login form (enc)
2. user enters data and hits submit
3. if data validates
4. show thank you for logging in page (over https). This very important, if you do not show an encrypted page before redirecting them browsers should show errors
5. redirect, maybe META refresh, to the http page of your choice

now step 4 and 5 would be the problem

in step 4 when we show this page we can get the session id they are now using, we can then pass this to the next page, I think we need to use GET and append to url

in step 5 we then use session_name to set the name/id of that user's session and then start it up

though that might even work without the db. Another thought with a db is

when user logs in, write a row with a unique id to a table. We don't even need to start a session on the https side. We then use that unique id in the url and when we get the http page it grabs the unique id and starts a session with the appropriate data in it and deletes the row. If it doesn't find that id in the table it can send them back to the login page.

should work

in step 4 when we show this page we can get the session id they are now using, we can then pass this to the next page, I think we need to use GET and append to url

cant one just use PHP's session_id() function?

on which side dmmh?

one doesn't have access to the id of the other as http and https are treated as different domains (though there are times they aren't of course ;)) so you need to pass the info from one to the other.

Does that make sense that I would want to encrypt the login information, so it's not sent in plain text? I wouldn't want someone to be able to and sniff a password to get in...also, if I posted the session ID via a GET, could that be sniffed via the URL, and the session hijacked?

if you look at the db solution it doesn't actually send an id using GET

probably the better solution