Page 1 of 1

Sessions with SSL?

Posted: Sat Aug 05, 2006 12:23 pm
by WorldCom
I've tried to search for Session Help on this and can't really find what I'm looking for.

I have a fully working site, log in, members area, sessions etc.
We are moving the site to a new server and the temporary site is on a secured page.

Now, the session variables are not pulled into the members page.
To check the session variables where being set properly.
I used :

Code: Select all

print_r($_SESSION);
To list the variables at the login page, then exit();
They are all set properly.

On the members page:

Code: Select all

print_r($_SESSION);
if(!isset($_SESSION['username']) | !isset($_SESSION['password'])) {
	mysql_close();
	exit();
	}
This is where the script exits(). Well it normally redirects back to the index page as if you're not logged in, but I took that out so I could see the Arrays. The output is simply Array(). So with my other tests, it seems the session variables are not being carried forward. Is there something more I need for SSL pages?

Posted: Sat Aug 05, 2006 1:52 pm
by alex.barylski
Session ID's are stored in cookie's

http://ca3.php.net/manual/en/ref.sessio ... kie-secure

You possibly need to change the value so cookies are sent over SSL

Cheers :)

Posted: Sat Aug 05, 2006 2:39 pm
by WorldCom
I assume you mean this command:

Code: Select all

ini_set('session.cookie_secure', 1);
I'm just not sure where to put it. I tried it in my login.php page before session_start(), didn't work.

Now, I also have a header page which I tried ...... same thing.
Question: Do I need it in every page similar to before the session_start() command?

Thanks for any help
Still learning here ;)

Posted: Sat Aug 05, 2006 2:56 pm
by Ollie Saunders
try:

Code: Select all

ini_set('session.cookie_secure', 'On');
However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't :(

Posted: Sat Aug 05, 2006 3:08 pm
by alex.barylski
Try: http://ca3.php.net/manual/en/function.s ... params.php

You would need to call it before session_start() from what I remember...

Posted: Sat Aug 05, 2006 5:40 pm
by WorldCom
Well thanks for all the help ........ this is kinda funny because I can no longer recreate the problem .... my site has just propegated through so there is no longer a secure page there.

Works fine now :)

Posted: Sat Aug 05, 2006 5:43 pm
by Chris Corbyn
ole wrote:However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't :(
PHP Manual Page for ini_set() wrote:Not all the available options can be changed using ini_set(). There is a list of all available options in the appendix.
http://uk2.php.net/manual/en/ini.php#ini.list

Posted: Sat Aug 05, 2006 6:17 pm
by Ollie Saunders
...doesn't say which can be ini_set() and which can't.

Posted: Sat Aug 05, 2006 6:23 pm
by Chris Corbyn
ole wrote:
...doesn't say which can be ini_set() and which can't.
PHP_INI_ALL can be set with ini_set() the others cannot.

Posted: Sat Aug 05, 2006 6:25 pm
by Weirdan
..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM

Posted: Sat Aug 05, 2006 6:39 pm
by Chris Corbyn
Weirdan wrote:
..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM
I'm not so sure.... PHP_INI_PERDIR doesn't seem to be ini_set() settable. For example, auto_prepend_file falls into this group and how can you auto_prepend a file if you're already in the script? :)

Posted: Sat Aug 05, 2006 6:41 pm
by Ollie Saunders
d11wtq wrote:PHP_INI_ALL can be set with ini_set() the others cannot.
Oooooh. Thanks for pointing that out to me d11wtq xD

Posted: Sat Aug 05, 2006 6:48 pm
by volka
http://de2.php.net/manual/en/ini.php wrote:Table G-2. Definition of PHP_INI_* constants
Constant Value Meaning
PHP_INI_USER 1 Entry can be set in user scripts or in Windows registry
PHP_INI_PERDIR 2 Entry can be set in php.ini, .htaccess or httpd.conf
PHP_INI_SYSTEM 4 Entry can be set in php.ini or httpd.conf
PHP_INI_ALL 7 Entry can be set anywhere

Posted: Sun Aug 06, 2006 5:57 am
by bokehman
If you are switching to and from http and https or switching domains you will need to carry the session id over using the get method.