View Full Version : sessions from www.domain to https://domain not working

01-19-2008, 04:39 AM
i have a page that doesnt have wildcard SSL so my main domain which is www.domain.com has to redirect to https://domain.com for secure order forms.... the only problem is that i need login session data from www.domain to be readable on https://domain because it needs to show them a different order form if they're logged in than if they're not logged in. how can i do this?

01-19-2008, 07:20 AM
Er, Cookies maybe?
Sorry its been awhile and I don't have SSL configured on my home pc. But if I recall correctly, jam them up by forcing them to use cookies, which I think is a requirement for SSL usage anyway (not 100% sure on that one...). I do recall as well that session has a secure parameter on it as well, but I'm not sure if it remembers it between the different protocols. You could try changing your domain to .domain.com in your session path that may work too.
Sorry I can't be of more help, and I may actually be completely out to lunch on this one. Best to stick around and see if anyone who has more SSL experience can point you in a better direction!

01-19-2008, 07:27 AM
From the statement of your question it is not clear if you are expecting a session to carry over from http://www.domain.com to https://domain.com or are you expecting a session to carry over between https://www.domain.com and https://domain.com.

For the first case -

Browsers maintain separate cookie stores for http and https requests and a session established in one protocol is not treated as the same session in the other protocol. Browsers do not pass session cookies between http and https requests or https and http requests.

The reason for this behavior is that any data transfered in a non-encrypted http request, including the session cookie or the session id on the end of the url, can be monitored, taken, and used to impersonate the visitor. The intention of this is to keep secure information secure. There is a way to work around this by passing the session id in the url, but this defeats the purpose of buying and using a SSL certificate.

For the second case -

You need to set the session.cookie_domain to .domain.com (including the leading dot) so that the session cookie will work for all sub-domains.

01-19-2008, 07:33 AM
Awesome, answered one of mine too!
I'm glad I nailed it down 50% on that one! Gotta keep this remembered too, or I'll end up forgetting it again >.<

01-19-2008, 04:54 PM
yea it's the first case... i have to be able to know if they are logged in when they hit the ssl page so that it can show them separate order forms... so i could just pass like a "loggedin=true" in the URL and have the SSL form make them verify their login details, i suppose.