Page 1 of 1
Sessions with SSL?
Posted: Sat Aug 05, 2006 12:23 pm
by WorldCom
I've tried to search for Session Help on this and can't really find what I'm looking for.
I have a fully working site, log in, members area, sessions etc.
We are moving the site to a new server and the temporary site is on a secured page.
Now, the session variables are not pulled into the members page.
To check the session variables where being set properly.
I used :
To list the variables at the login page, then exit();
They are all set properly.
On the members page:
Code: Select all
print_r($_SESSION);
if(!isset($_SESSION['username']) | !isset($_SESSION['password'])) {
mysql_close();
exit();
}
This is where the script exits(). Well it normally redirects back to the index page as if you're not logged in, but I took that out so I could see the Arrays. The output is simply Array(). So with my other tests, it seems the session variables are not being carried forward. Is there something more I need for SSL pages?
Posted: Sat Aug 05, 2006 1:52 pm
by alex.barylski
Session ID's are stored in cookie's
http://ca3.php.net/manual/en/ref.sessio ... kie-secure
You possibly need to change the value so cookies are sent over SSL
Cheers

Posted: Sat Aug 05, 2006 2:39 pm
by WorldCom
I assume you mean this command:
Code: Select all
ini_set('session.cookie_secure', 1);
I'm just not sure where to put it. I tried it in my login.php page before session_start(), didn't work.
Now, I also have a header page which I tried ...... same thing.
Question: Do I need it in every page similar to before the session_start() command?
Thanks for any help
Still learning here

Posted: Sat Aug 05, 2006 2:56 pm
by Ollie Saunders
try:
Code: Select all
ini_set('session.cookie_secure', 'On');
However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't

Posted: Sat Aug 05, 2006 3:08 pm
by alex.barylski
Try:
http://ca3.php.net/manual/en/function.s ... params.php
You would need to call it before session_start() from what I remember...
Posted: Sat Aug 05, 2006 5:40 pm
by WorldCom
Well thanks for all the help ........ this is kinda funny because I can no longer recreate the problem .... my site has just propegated through so there is no longer a secure page there.
Works fine now

Posted: Sat Aug 05, 2006 5:43 pm
by Chris Corbyn
ole wrote:However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't

PHP Manual Page for ini_set() wrote:Not all the available options can be changed using ini_set(). There is a list of all available options in the appendix.
http://uk2.php.net/manual/en/ini.php#ini.list
Posted: Sat Aug 05, 2006 6:17 pm
by Ollie Saunders
...doesn't say which can be ini_set() and which can't.
Posted: Sat Aug 05, 2006 6:23 pm
by Chris Corbyn
ole wrote:
...doesn't say which can be ini_set() and which can't.
PHP_INI_ALL can be set with ini_set() the others cannot.
Posted: Sat Aug 05, 2006 6:25 pm
by Weirdan
..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM
Posted: Sat Aug 05, 2006 6:39 pm
by Chris Corbyn
Weirdan wrote:..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM
I'm not so sure.... PHP_INI_PERDIR doesn't seem to be ini_set() settable. For example, auto_prepend_file falls into this group and how can you auto_prepend a file if you're already in the script?

Posted: Sat Aug 05, 2006 6:41 pm
by Ollie Saunders
d11wtq wrote:PHP_INI_ALL can be set with ini_set() the others cannot.
Oooooh. Thanks for pointing that out to me d11wtq
xD
Posted: Sat Aug 05, 2006 6:48 pm
by volka
http://de2.php.net/manual/en/ini.php wrote:Table G-2. Definition of PHP_INI_* constants
Constant Value Meaning
PHP_INI_USER 1 Entry can be set in user scripts or in Windows registry
PHP_INI_PERDIR 2 Entry can be set in php.ini, .htaccess or httpd.conf
PHP_INI_SYSTEM 4 Entry can be set in php.ini or httpd.conf
PHP_INI_ALL 7 Entry can be set anywhere
Posted: Sun Aug 06, 2006 5:57 am
by bokehman
If you are switching to and from http and https or switching domains you will need to carry the session id over using the get method.