Shared HTTP HTTPS PHP sessions
Posted: Thu May 07, 2009 4:27 pm
Hi folks,
I'm having a little trouble here getting my sessions working properly. I have a domain http://www.domain.ca. I got a dedicated IP and an SSL that is set up on HTTPS://domain.ca. Everything works great. The problem is with PHP sessions. When jumping back and forth from the unsecured to the secured domain, I have a new session being created (two sessions are being kept track of as the user clicks around from unsecure to secure). This is fine, and I understand why this is happening, as these are basically being thought of as two separate domains, and for security reasons this now makes a lot of sense.
I am trying to sync them. I first got my hosting provider to give me access to my php.ini file and I have one now that I can edit - great. This php.ini file controls both my HTTP://www.domain.ca and HTTPS://domain.ca, so I set therein:
session.save_path = /home/user/public_html/SESSIONS
This worked, and I can see sessions being created and destroyed in this directory, and see that there are in fact two sessions being created for a user jumping back and forth from secured to unsecured - fine (I read somewhere that this would fix my problem).
Then, I set (again, in php.ini):
session.cookie_domain = .domain.ca
for the sake of argument, I also tried domain.ca, .domain.ca/ and domain.ca/ for these values... does php consider http://www.domain.ca and https://domain.ca as the same domain? Perhaps it is the lack of 'www' that is my problem. Hopefully someone can help.
As I understand, session.cookie_secure is important to check, by default cookies are not secure, and I cannot see this option in my php.ini, so I didn't worry about it much.
After these changes, I still have the sessions not being in synch. Am I missing something stupid here? I was told by someone to pass the session id through the URL, which sounds a bit ridiculous. I am using the same domain for my SSL, and have my own certificate (i.e. not jumping to a third party). There's no way I'm passing the session id through the URL in the clear.
If anyone has any ideas, please let me know.
Thanks
I'm having a little trouble here getting my sessions working properly. I have a domain http://www.domain.ca. I got a dedicated IP and an SSL that is set up on HTTPS://domain.ca. Everything works great. The problem is with PHP sessions. When jumping back and forth from the unsecured to the secured domain, I have a new session being created (two sessions are being kept track of as the user clicks around from unsecure to secure). This is fine, and I understand why this is happening, as these are basically being thought of as two separate domains, and for security reasons this now makes a lot of sense.
I am trying to sync them. I first got my hosting provider to give me access to my php.ini file and I have one now that I can edit - great. This php.ini file controls both my HTTP://www.domain.ca and HTTPS://domain.ca, so I set therein:
session.save_path = /home/user/public_html/SESSIONS
This worked, and I can see sessions being created and destroyed in this directory, and see that there are in fact two sessions being created for a user jumping back and forth from secured to unsecured - fine (I read somewhere that this would fix my problem).
Then, I set (again, in php.ini):
session.cookie_domain = .domain.ca
for the sake of argument, I also tried domain.ca, .domain.ca/ and domain.ca/ for these values... does php consider http://www.domain.ca and https://domain.ca as the same domain? Perhaps it is the lack of 'www' that is my problem. Hopefully someone can help.
As I understand, session.cookie_secure is important to check, by default cookies are not secure, and I cannot see this option in my php.ini, so I didn't worry about it much.
After these changes, I still have the sessions not being in synch. Am I missing something stupid here? I was told by someone to pass the session id through the URL, which sounds a bit ridiculous. I am using the same domain for my SSL, and have my own certificate (i.e. not jumping to a third party). There's no way I'm passing the session id through the URL in the clear.
If anyone has any ideas, please let me know.
Thanks