Posted by agentrickard on February 12, 2009 at 6:53pm
3 followers
Jump to:
| Project: | Secure Pages Hijack Prevention |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | postponed (maintainer needs more info) |
Issue Summary
This seems to offer no added benefit for anonymous users, since all the setting and checking is done against logged in users.
What about anon users who are able to use shopping carts, et. al.?
Comments
#1
Interesting idea. It might be possible; I think the approach would be to regenerate the session the first time an SSL page is visited. That way the old session becomes invalid, and the new session is protected.
#2
Or simply set a cookie on first visit for all users (using hook_boot()), and reset that cookie if people login. The issue is that the cookie setting only happens during hook_user($op == 'login');
#3
I thought about that, but I was worried that would create an endless loop for user agents that refuse the cookie, because you'd need to redirect to an SSL page to regenerate the session and set the secure cookie.
#4
I just ran into that issue, actually, and for those users ended up setting a pseudo-global in a static variable.
But for users who don't accept cookies, session tokens are meaningless anyway...
To avoid the endless loop, you can also check for
isset($_COOKIE[session_name()]), and if it fails, skip your routine (or exit to e massage telling people they must have cookies enabled.#5
Subscribe.