On my website I have several HTTPS pages and some HTTP pages. When a user logs in through HTTPS a cookie is stored containing email address etc. When a user clicks on a HTTP page of my website the cookie is lost since the cookie was created under HTTPS. So to solve that problem I added this PHP code in my HTTP pages session_start(); $currentSessionID = session_id(); I assume this takes the cookie that was stored for HTTPS pages and pulls it through so HTTP can see it? Is this a security flaw in any possible way? I am not sure if the cookie is actually being transfered over HTTP or if it is just pulling what the browser already stored in temp internet files?
I did not get a word what you said in last paragraph still on what I assume, you mean: cookie is stored when a person logins in and then once he clicks on any http page, cookie is lost? Cookie does not die. Few points you might want to consider: 1. HTTPS encrypts each and every data and then transfers to the server , to and fro, this way it can prevent eavesdropping / data sniffing. Thats IT! 2. Cookies are stored and fetched by HTTP_HOST not protocol . High possiblity that your website's http links are http www but, www is not 301 directed from example.com, so www dot example dot com and example dot com seems to be 2 different pages! To crawlers and to cookie listeners.! Let me know if this solves ur issue , else, lets dig some more and try to be more brief.