My Bluehost site is setup with a dedicated IP address, Rapid SSL certificate, PHP 5 and FastCGI is set on.

When switching between HTTP and HTTPS I was under the impression the Session Data was independent for each protocol. However while testing what I thought was incomplete code, I've discovered this is not true on my site.

In other words I go from HTTP (request login) to HTTPS (do login and set SESSION variables) then back to HTTP(maintain data) , the session variables set in HTTPS are usable in HTTP and I get the exact same session id with both protocols without any code to preserve the $_SESSION data between protocols. While this may make my coding easier, it gives me a sense that something is wrong and I have a security risk. Can anyone confirm this is the way it's supposed to work?

Additionally the PHP.ini file says the session files are in the /TMP directory, however I can't find any session data. Anyone know where to look?

Thank you

You don't get access the the /tmp folder as it is shared between all the sites on the server. If you want the session files where you can access them you will have to override the default location to put them somewhere within your own account.

Thank you for the quick reply. I thought it was the /tmp folder in my home directory. Now I understand why I can't see them.

Any idea on the same $_SESSION data in HTTP and HTTPS?

I haven't set up any https pages yet so I don't know for certain but since the addresses need to be fully qualified and have a different value on the front I would not expect the sessions to be able to pass from one to the other.