I am using https with php and have a few security questions:
+I saw this link:
"secure" parameter in session_set_cookie_params
Does this mean even though the secure flag is set with a cookie, it only lets the client pass it to a https address? If the cookie contains the session_id, should I encrypt it before sending from the server and then decrypt it when receiving it?
+When I login to a https address from a https page, firefox shows the plain text password in POST data. Is this a security risk? Also can I put the form on a regular http page without a security risk?
UPDATE: what I’m trying to do is prevent session hijacking. Should I just not send any cookies containing session_ids over http? It’s a kohana script I’m working on and it seems to start the session even if not logged in. I’m thinking of checking for https before session_start();
You can securely submit data from a form accessed via HTTP, as long as the POST action submits to an HTTPS URL.
Putting the form on an HTTPS page is a best practice for feel good reasons for the user, because people may be skeptical of submitting secure information in a form if page displaying the form does not show that they are connected via HTTPS.