How to limit PHPSESSID cookie to https?

Question

I want to limit the use of phpsessid cookie only for secure connections during administrator sessions, but allow phpsessid on unsecure connections for normal users. session_set_cookie_params needs to be called each time the script is run before calling session_start(), but i need to call session_start() first to check the session data that tells me if the user is admin or not.

I want to have pages that are only accessible through https (admin panels, logins, etc) and the rest of the site (articles, etc) available through normal connections for normal users and only through secure connections for administrators. So that the administrator's sid is never exposed; exposing the sid and relying only on IP,user-agent,etc checks is not enough. Important transactions would be password protected but it's impossible to it with all transactions, would be to pesky.

Answer 1

In PHP you set the session.use_only_cookies and the session.cookie_secure configuration options. This can be done at runtime or in your php.ini. cookie_secure is an awful name, but it tells the client that this cookie must always be transmitted over https.

Answer 2

An easy approach might just be to use session_name() and set the name of the session. Then, only start the "admin session" on the pages that are admin pages and HTTPS.