Maintain login session between http & https

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
wastedspace
Forum Newbie
Posts: 3
Joined: Tue Oct 17, 2006 9:43 am

Maintain login session between http & https

Post by wastedspace »

Hi guys,

First of all, apologies if this has been answered in the past. Just signed up to this forum, and couldn't find exactly what I was after.

I have a site where there are two urls:

http://www.example.com
https://secure.example.com

I wish to maintain a login session between the two. So I can pick & choose which pages are secure, whilst always maintaining the same session when switching between the two.
All the site's files are in the same directory, but if you use the secure url for a page it just makes that particular page secure.

I've been reading that you can store the session id in the database, store the session id in a cookie, then validate it on the non-secure area (and logging in automatically if it matches up). Unfortunately when I switch between the two my cookie isn't being passed. I'm using setcookie(). Is this just really setting a session? As I thought cookies were browser-side, and wouldn't matter if I switched between http & https...

I cannot find a satisfactory tutorial on this subject anywhere.

Please help! :?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Switching security levels changes which cookies are sent. The easiest way of transferring the session is by incorporating the sessionid (in some fashion) into the URL.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

I can't confirm if this works.. but setting the domain of the cookie to *.example.com may work.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

wastedspace
Forum Newbie
Posts: 3
Joined: Tue Oct 17, 2006 9:43 am

Post by wastedspace »

Thanks for all your help guys. Appreciate it :)

I started to think about what happens when you log out, you have to deal with that too across two domains. Contemplated passing the sesh id through, and just setting a simple cookie (instead of fully logging in). This would then show the links that you would see when logged in, but you wouldn't actually be logged in.

I've decided however that once someone has logged into the secure area they stay in the secure area across the site. I know this is copping out, but I'm running short of time (client-wise). It isn't a huge site, and unlikely to get any bigger as far as non-secure pages go.

Plus I ain't hugely technically minded. Was kinda looking for a step-by-step tutorial somewhere :wink:

Cheers! :)
choppsta
Forum Contributor
Posts: 114
Joined: Thu Jul 03, 2003 11:11 am

Post by choppsta »

I have done this many times and never had any issues with it? As Jenk said, just make sure you have the domain part of the cookie set correctly to make it available to subdomains.

From the manual:
To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'.
http://uk.php.net/manual/en/function.setcookie.php
Post Reply