[RESOLVED] $_Session vars not saved on header() redirect - Page 2
Page 2 of 2 FirstFirst 12
Results 16 to 21 of 21

Thread: [RESOLVED] $_Session vars not saved on header() redirect

  1. #16
    Member
    Join Date
    Jun 2012
    Posts
    70
    I too thought that might make a difference but had been told it would not.

    I would prefer not to have to keep the user on https, after signing in (shared server, ssl cert that has the host name instead of my site). There would be no pages beyond that, that would have things like passwords or other sesitive data on or about them.

    So, is it impossible to set the session vars on https, and then access them on http pages?
    Last edited by we5inelgr; 04-19-2013 at 07:11 PM.

  2. #17
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    7,708
    No, but you'll have to pass the SID to the http site from the https login. Something like:
    PHP Code:
    //https handler
    session_start();

    if (
    login_check($somevars)) {
       
    // login was successful
       
    $_SESSION['userid'] = $the_verified_userid;
       
    $mysid session_id();
       
    header("location: http://somewhere/somepage.php?SID=$mysid");
    } else {
       
    header("location: https://somewhere/loginform.html");

    and here's the top of the http site:
    PHP Code:
    <?php
    if ($_GET['sid']) {
       
    session_id($_GET['sid']);
    }
    session_start();
    Of course, that may be a tad simplified; you'd probably want to perform some sort of checking on the variable from $_GET ...

    Note also that both the HTTPS server and the HTTP server must be sharing the same session_path or this won't work, either.
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  3. #18
    Member
    Join Date
    Jun 2012
    Posts
    70

    Question

    Thanks again for the suggestions.

    At this point, what I'm wanting to do is stay away from keeping session vars in the URL.

    I know this is pretty convoluted, but due to the nature of setting the session vars while on HTTPS (after doing authentication) and then going back to HTTP and needing access to those set session vars, I'm doing this:

    https: //somesite.com/signin.html [user enters credentials. has action to dosigning.html]
    https: //somesite.com/dosignin.html [with successful authentication, set's session vars and does header() redirect to midpoint.html?a=$session_id]
    http: //somesite.com/midpoint.html (note: not on https anymore).

    midpoint.html code:
    PHP Code:
    if ($_GET['a']) {
        
    $temp_sid $_GET['a'];
        if (
    strlen($temp_sid) != 32 && preg_match('/^[a-z0-9]+$/'$temp_sid)) {
            
    //**** ERROR ****//

        
    } else {
            
    $temp_file="/path/to/session_vars/sess_".$temp_sid;
            
    $contents_temp_file file_get_contents($temp_file);
            
    $session_vars explode(";"$contents_temp_file); 
            
    $count = (count($session_vars) - 1); 
            for (
    $i=0;$i<$count;$i++) {
                
    $piece1 explode (":",$session_vars[$i],2);
                
    $piece2 explode (":",$piece1[1]);
                
    $piece3[] = explode ("\"",$piece2[1]);
                echo 
    "piece3: ".$piece3[1]."<br>";
            }
        }
    } else {
        
    //**** ERROR ****//
        
    }

    //session_start();
    //session_regenerate_id();
    //$_SESSION["Var1"] = $piece3[0];
    //$_SESSION["Var2"] = $piece3[1];
    //etc

    header (redirect to final page on http that it and all other http pages will now have access to newly set session vars); 
    Clearly, this is not ideal, but given this situation...how could the part about parsing the data out of the initial session file be done more efficiently?
    PHP Code:
    $temp_file="/path/to/session_vars/sess_".$temp_sid;
    $contents_temp_file file_get_contents($temp_file);
    $session_vars explode(";"$contents_temp_file); 
    $count = (count($session_vars) - 1); //**** Need to subtract one ****//
        
    for ($i=0;$i<$count;$i++) {
            
    $piece1 explode (":",$session_vars[$i],2);
            
    $piece2 explode (":",$piece1[1]);
            
    $piece3[] = explode ("\"",$piece2[1]); 
            
    //**** $piece3 is the final data in an array to be used for setting  the new session vars.\
        


  4. #19
    Un Re Member cretaceous's Avatar
    Join Date
    Sep 2004
    Location
    London UK
    Posts
    940
    Are you certain your html is being parsed as PHP (e.g. by using an htaccess directive or apache setting)?

  5. #20
    Settled 4 red convertible dalecosp's Avatar
    Join Date
    Jul 2002
    Location
    Accelerating Windows at 9.81 m/s....
    Posts
    7,708
    Quote Originally Posted by we5inelgr View Post
    Thanks again for the suggestions.

    At this point, what I'm wanting to do is stay away from keeping session vars in the URL.
    There's no need to keep them, as you are probably well aware. After the "landing" on the HTTP side, you shouldn't need any session_id in the URL any longer.

    And yes, the approach seems convoluted. Is there any reason why you can't use the approach I outlined above? It certainly appears you've got both sites on the same server ("/path/to/session_vars/" and all that.)
    /!!\ mysql_ is deprecated --- don't use it! Tell your hosting company you will switch if they don't upgrade! /!!!\ ereg() is deprecated --- don't use it!

    dalecosp "God doesn't play dice." --- Einstein "Perl is hardly a paragon of beautiful syntax." --- Weedpacket

    Getting Help at All --- Collected Solutions to Common Problems --- Debugging 101 --- Unanswered Posts --- OMBE: Office Machines, Business Equipment

  6. #21
    Member
    Join Date
    Jun 2012
    Posts
    70
    i finally got it working, by using a db table as a temp spot to store the session id + user id combo (& other things), then on the http (non s) site i compare the table record to the 1st session file and if matched, delete that 1st session file and then create a new one while on http and then set my vars.

    convoluted, yes. it works.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •