Passing login state across http and https
I've noticed on quite a few ASP sites that when they have a 'MyAccount'
section they transfer the site to https and then when you have logged into
your account successfully and gone back to the majority of the site you move
back to http whilst still being logged in.
I've used the Session var method before to check if a user can have access
to pages, but how on earth can I keep a handle on this when I flip the user
between my standard http to my https sites (and vice versa) when this
effectively loses the Session var (and cookie values for that matter).
If I have to post certain data between the sites then surely this causes
some kind of security breach.
Would I have to do the following:
1) On https, user enters their login and password.
2) These details are valid so I flag a session var on the https to say that
they can order stuff, look at certain pages, etc.
3) When the user clicks one of the page links back to say a Contact us
(http) page then this link must contain the username and password that they
4) Now that they are back in the http world, I do another DB query to
validate this details and set a session var in the http.
The above seems very messy for 2 reasons:
1) On the https pages I need to build the username/password into every
single visible link that goes back to the http so that I can trap what the
user is going to click on to go back.
2) The session var timeouts for the http and https are going to be out of
sync because the user might be looking at their account for say 5 mins under
https and then go back to the http.
I'm using 1 x MySQL db for my data, cart and to hold the login info.
If anybody has had this problem before and found a way round it, could you
please give me some pointers.