Hi folks,
I'm having a little trouble here getting my sessions working properly. I have a domain http://www.domain.ca. I got a dedicated IP and an SSL that is set up on HTTPS://domain.ca. Everything works great. The problem is with PHP sessions. When jumping back and forth from the unsecured to the secured domain, I have a new session being created (two sessions are being kept track of as the user clicks around from unsecure to secure). This is fine, and I understand why this is happening, as these are basically being thought of as two separate domains, and for security reasons this now makes a lot of sense.
I am trying to sync them. I first got my hosting provider to give me access to my php.ini file and I have one now that I can edit - great. This php.ini file controls both my HTTP://www.domain.ca and HTTPS://domain.ca, so I set therein:
session.save_path = /home/user/public_html/SESSIONS
This worked, and I can see sessions being created and destroyed in this directory, and see that there are in fact two sessions being created for a user jumping back and forth from secured to unsecured - fine (I read somewhere that this would fix my problem).
Then, I set (again, in php.ini):
session.cookie_domain = .domain.ca
for the sake of argument, I also tried domain.ca, .domain.ca/ and domain.ca/ for these values... does php consider http://www.domain.ca and https://domain.ca as the same domain? Perhaps it is the lack of 'www' that is my problem. Hopefully someone can help.
As I understand, session.cookie_secure is important to check, by default cookies are not secure, and I cannot see this option in my php.ini, so I didn't worry about it much.
After these changes, I still have the sessions not being in synch. Am I missing something stupid here? I was told by someone to pass the session id through the URL, which sounds a bit ridiculous. I am using the same domain for my SSL, and have my own certificate (i.e. not jumping to a third party). There's no way I'm passing the session id through the URL in the clear.
If anyone has any ideas, please let me know.
Thanks
Shared HTTP HTTPS PHP sessions
Moderator: General Moderators
Re: Shared HTTP HTTPS PHP sessions
Issue is resolved. HTTP://domain.ca and HTTPS://domain.ca work fine. The 'www' was the problem, I have everything else set up properly.
For anyone who says to pass the session ID around in the URL, tell them that changing two lines in the php.ini does the same job without sending a session id around online in the clear.
For anyone who says to pass the session ID around in the URL, tell them that changing two lines in the php.ini does the same job without sending a session id around online in the clear.