01-19-2008, 04:39 AM
i have a page that doesnt have wildcard SSL so my main domain which is www.domain.com has to redirect to https://domain.com for secure order forms.... the only problem is that i need login session data from www.domain to be readable on https://domain because it needs to show them a different order form if they're logged in than if they're not logged in. how can i do this?
01-19-2008, 07:20 AM
Er, Cookies maybe?
Sorry I can't be of more help, and I may actually be completely out to lunch on this one. Best to stick around and see if anyone who has more SSL experience can point you in a better direction!
01-19-2008, 07:27 AM
From the statement of your question it is not clear if you are expecting a session to carry over from http://www.domain.com to https://domain.com or are you expecting a session to carry over between https://www.domain.com and https://domain.com.
For the first case -
Browsers maintain separate cookie stores for http and https requests and a session established in one protocol is not treated as the same session in the other protocol. Browsers do not pass session cookies between http and https requests or https and http requests.
The reason for this behavior is that any data transfered in a non-encrypted http request, including the session cookie or the session id on the end of the url, can be monitored, taken, and used to impersonate the visitor. The intention of this is to keep secure information secure. There is a way to work around this by passing the session id in the url, but this defeats the purpose of buying and using a SSL certificate.
For the second case -
You need to set the session.cookie_domain to .domain.com (including the leading dot) so that the session cookie will work for all sub-domains.
01-19-2008, 07:33 AM
Awesome, answered one of mine too!
I'm glad I nailed it down 50% on that one! Gotta keep this remembered too, or I'll end up forgetting it again >.<
01-19-2008, 04:54 PM
yea it's the first case... i have to be able to know if they are logged in when they hit the ssl page so that it can show them separate order forms... so i could just pass like a "loggedin=true" in the URL and have the SSL form make them verify their login details, i suppose.