Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Regular Coder
    Join Date
    Oct 2003
    Posts
    603
    Thanks
    2
    Thanked 1 Time in 1 Post

    sessions from www.domain to https://domain not working

    i have a page that doesnt have wildcard SSL so my main domain which is www.domain.com has to redirect to https://domain.com for secure order forms.... the only problem is that i need login session data from www.domain to be readable on https://domain because it needs to show them a different order form if they're logged in than if they're not logged in. how can i do this?

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Er, Cookies maybe?
    Sorry its been awhile and I don't have SSL configured on my home pc. But if I recall correctly, jam them up by forcing them to use cookies, which I think is a requirement for SSL usage anyway (not 100% sure on that one...). I do recall as well that session has a secure parameter on it as well, but I'm not sure if it remembers it between the different protocols. You could try changing your domain to .domain.com in your session path that may work too.
    Sorry I can't be of more help, and I may actually be completely out to lunch on this one. Best to stick around and see if anyone who has more SSL experience can point you in a better direction!
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,026
    Thanks
    2
    Thanked 315 Times in 307 Posts
    From the statement of your question it is not clear if you are expecting a session to carry over from http://www.domain.com to https://domain.com or are you expecting a session to carry over between https://www.domain.com and https://domain.com.

    For the first case -

    Browsers maintain separate cookie stores for http and https requests and a session established in one protocol is not treated as the same session in the other protocol. Browsers do not pass session cookies between http and https requests or https and http requests.

    The reason for this behavior is that any data transfered in a non-encrypted http request, including the session cookie or the session id on the end of the url, can be monitored, taken, and used to impersonate the visitor. The intention of this is to keep secure information secure. There is a way to work around this by passing the session id in the url, but this defeats the purpose of buying and using a SSL certificate.

    For the second case -

    You need to set the session.cookie_domain to .domain.com (including the leading dot) so that the session cookie will work for all sub-domains.
    Last edited by CFMaBiSmAd; 01-19-2008 at 06:47 AM. Reason: fixed words
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Awesome, answered one of mine too!
    I'm glad I nailed it down 50% on that one! Gotta keep this remembered too, or I'll end up forgetting it again >.<
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    Regular Coder
    Join Date
    Oct 2003
    Posts
    603
    Thanks
    2
    Thanked 1 Time in 1 Post
    yea it's the first case... i have to be able to know if they are logged in when they hit the ssl page so that it can show them separate order forms... so i could just pass like a "loggedin=true" in the URL and have the SSL form make them verify their login details, i suppose.

    thanks


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •