Loosing Session through HTTPS

CRichardson

I am building an online CMS/e-Commerce system.

When going through the order process the user is transfered onto a secure (https🙂 server.

However, in doing so all information stored in Cookies/SESSIONS is lost?

Why is this and how can I stop it from happening?

NogDog

Are you using a shared SSL certificate? If so, then this is because with a shared certificate you actually go to a different domain, and thus the session cookie is not transferred since it is for the original domain. The solution would be to either get your own SSL ceritificate for your domain, or use a different mechanism to transfer the data to the secure section of the site. Perhaps you could include the session ID as a hidden form field which you would then grab on the secure page and then use in a [man]session_id/man command before doing your [man]session_start/man?

CRichardson

NogDog wrote:
Are you using a shared SSL certificate? If so, then this is because with a shared certificate you actually go to a different domain, and thus the session cookie is not transferred since it is for the original domain. The solution would be to either get your own SSL ceritificate for your domain, or use a different mechanism to transfer the data to the secure section of the site. Perhaps you could include the session ID as a hidden form field which you would then grab on the secure page and then use in a [man]session_id/man command before doing your [man]session_start/man?

Thank you for your quick response.

In answer to your question- no I have my own certificate on the same domain as the script.

The user logs into the system on http:// which works OK but once transfered over to https:// for the order process they are no longer logged in!

NogDog

You might try setting session.use_trans_sid to "1" in your php config, and set session.use_only_cookies to "0".

CRichardson

NogDog wrote:
You might try setting session.use_trans_sid to "1" in your php config, and set session.use_only_cookies to "0".

What will that do?

NogDog

It might cause the session ID to automatically be added to the URL or a hidden form field as applicable. I'm kind of guessing on this though, as I don't have a way to test it.

CRichardson

Anybody else any idea as to why this might be happening?