Will a post from http to https hold a session

Square1

Hi all:

I will be switching to a Linux box this weekend from Windows. I am not yet able to test this on Linux as I do not have an SSL cert set up.

If I start a session on http://www.mySite.com/page1.php and then post over to https://www.mySite.com/page2.php will I lose the session on the https page?

If so, is there a php.ini setting that will keep the session alive?

Thanks!

dagon

you would need to pass the session id from page one to two in the form post\url (get) the retrieve it at the other end

page 1

form hidden input session id

page 2:

// Retrieve the session ID 
$currentSessionID = $_POST['session'];//or GET if you where not using a form but a normal link

// Set  the session ID.
session_id($currentSessionID);

// Start  session.
session_start();

.. continue as normal

Square1

Thanks dagon.

So just to confirm, session_start(); is NOT at the very top of the page in this case. I had thought that was imperative.

bradgrafelman

Square1;10998109 wrote:
So just to confirm, session_start(); is NOT at the very top of the page in this case. I had thought that was imperative.

It has never been a requirement that the call to session_start() be anywhere near the "top" or even one of the first statements in a PHP script. The only real requirement is that it comes before HTTP headers are sent (which can happen if you output anything, for example).

Square1;10998105 wrote:
If I start a session on http://www.mySite.com/page1.php and then post over to https://www.mySite.com/page2.php will I lose the session on the https page?

Sessions are never "lost" until they are deleted by the garbage collector due to inactivity. The only thing that is really "lost" is the cookie used to propagate the session ID from one page request to another.

Thus, if the PHP directive session.cookie_secure is off, then the cookie is to be sent for both HTTP and HTTPS requests.

sfullman

http://www.relatebase.com/protocol.php

click and it will redirect you to the same page but securely - sessions are protocol-independent. Word..

🙂

bradgrafelman

sfullman;10998130 wrote:
sessions are protocol-independent.

Sessions exist only on the server; I think what you mean is that cookies are protocol-independent (which is only conditionally true depending upon the value of the 'Secure' attribute).

sfullman

yes, a much better way to put it