session lost in https

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
deepak10
Forum Newbie
Posts: 2
Joined: Tue Jun 23, 2009 6:32 am

session lost in https

Post by deepak10 »

When switching between HTTP and HTTPS,i lost all my session values,
how can i use the sessions over the http and https
i am passing session id over url to the secure page.but it is not working...
please do the needfull ........
thanks
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session lost in https

Post by kaisellgren »

Are you using PHP's session system? Did you set the Secure -flag (session.cookie_secure)?

Or maybe your domain name changes between the switch? From a sub-domain to domain or vice versa? Be sure to set the domain part properly in that case.

http://fi.php.net/manual/en/function.se ... params.php
deepak10
Forum Newbie
Posts: 2
Joined: Tue Jun 23, 2009 6:32 am

Re: session lost in https

Post by deepak10 »

session.cookie_secure flag is set to "on"
still i cannot pass php session variables from HTTP to HTTPS. Please find the code below which i have used to test.

HTTP file:
~~~~~~~~~~~

Code: Select all

<?php
session_start();
$currentSessionID = session_id();
$_SESSION['myvariable'] = 'It worked';
$secureServerDomain = 'www.somedomain.com';
$securePagePath = '/new/products/login.php';
echo '<a href="https://' . $secureServerDomain . $securePagePath . '?session=' . $currentSessionID . '">Click here to transfer your session to the secure server</a>';
?>
HTTPS file:
~~~~~~~~

Code: Select all

 
<?php
$currentSessionID = $_GET['session'];
session_id($currentSessionID);
session_start();
if (!empty($_SESSION['myvariable'])) {
      echo $_SESSION['myvariable'];
} else {
      echo 'It did not work.';
}
?>
 
Last edited by Benjamin on Wed Jun 24, 2009 12:36 am, edited 1 time in total.
Reason: Changed code type from text to php.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session lost in https

Post by kaisellgren »

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Z:\Portable Applications\nginx\htdocs\test2.php on line 5
That's the reason. You should turn on error reporting.

You don't really need to pass identifiers to the files. Your web browser will submit the identifier using cookies.
Post Reply