Sessions and HTTPS

gregambrose

Posted: Tue Dec 02, 2003 12:46 pm Post subject: Sessions and HTTPS

I am using standard php sessions (session_start() and $_SESSION), and all works fine.

I now have one page that I want to use https with. When I do, I lose all session data.

I presume that this is because standard sessions use cookies, and a cookie set with one url (ie. http) won't be seen when another url with https is used.

Am I right, and if so, has anyone any suggestions on the best way to handle this situation?

PHPGuru2

Cookie works as long as you stay in under the same domain. Once you move away from the domain, then the site you move considers that you come from a different site therefore cookie doesn't work. This happens often if your website is hosted on the shared hosting server because the host usually provides you the SSL under their domain name and not yours. Moreover, session.trans_id in PHP.INI file is disabled by default from PHP 4.3, it makes session much harder to deal with.

You first have to enable session.trans_id in PHP.INI file, and then every time you move from regular HTTP state to secure HTTP state, add session_name()=session_id in the URL (or pass it on by using hidden field in the form if you are using POST method). This should transfer your session data successfully.

If you are hosting your website in the cross server environment (running multiple (mirror) servers) for load balancing purpose, then you have to write your own session management script so that you can manage session in the databse. Once you set it up right, then you are gonna have to embed session_name() and session_id() in every URL.

gregambrose

Thanks very much for that. It has given me lots to go on.

I'll try things tomorrow and post a reply here with the outcome.

gregambrose

Well I tried, and couldn't get anything going. If anyone could give me a few coding hints on how this works I would appreciate it.

Thanks,
Greg

gregambrose

With the help of people in this forum I've got it working. Below I've described how it works.

Basically I pass the session id round from page to page, instead of depending on cookies. This still uses the php standard sessions, which handles registering variable and the serialisation that is necessary. So the bits of the code are as follows

	
	if(isSet($_GET['SID']))
	{
		$sid = $_GET['SID'];
	}
	else 
	{
		$sid = "";
	}

session_start($sid);

$sid = session_id();

and on the web page

<a href="test1.php?SID=<?php echo $sid; ?>">Back</a>

The example uses GET, but of course the same mechanism would work with POST. All that matters is that session_start() has the previous sid.

If anyone needs any further information, let me know. Thanks to all who helped.