Page 1 of 1

Maintain login session between http & https

Posted: Tue Oct 17, 2006 9:51 am
by wastedspace
Hi guys,

First of all, apologies if this has been answered in the past. Just signed up to this forum, and couldn't find exactly what I was after.

I have a site where there are two urls:

http://www.example.com
https://secure.example.com

I wish to maintain a login session between the two. So I can pick & choose which pages are secure, whilst always maintaining the same session when switching between the two.
All the site's files are in the same directory, but if you use the secure url for a page it just makes that particular page secure.

I've been reading that you can store the session id in the database, store the session id in a cookie, then validate it on the non-secure area (and logging in automatically if it matches up). Unfortunately when I switch between the two my cookie isn't being passed. I'm using setcookie(). Is this just really setting a session? As I thought cookies were browser-side, and wouldn't matter if I switched between http & https...

I cannot find a satisfactory tutorial on this subject anywhere.

Please help! :?

Posted: Tue Oct 17, 2006 9:55 am
by feyd
Switching security levels changes which cookies are sent. The easiest way of transferring the session is by incorporating the sessionid (in some fashion) into the URL.

Posted: Tue Oct 17, 2006 10:49 am
by Jenk
I can't confirm if this works.. but setting the domain of the cookie to *.example.com may work.

Posted: Tue Oct 17, 2006 11:06 am
by RobertGonzalez

Posted: Wed Oct 18, 2006 3:25 am
by wastedspace
Thanks for all your help guys. Appreciate it :)

I started to think about what happens when you log out, you have to deal with that too across two domains. Contemplated passing the sesh id through, and just setting a simple cookie (instead of fully logging in). This would then show the links that you would see when logged in, but you wouldn't actually be logged in.

I've decided however that once someone has logged into the secure area they stay in the secure area across the site. I know this is copping out, but I'm running short of time (client-wise). It isn't a huge site, and unlikely to get any bigger as far as non-secure pages go.

Plus I ain't hugely technically minded. Was kinda looking for a step-by-step tutorial somewhere :wink:

Cheers! :)

Posted: Wed Oct 18, 2006 3:33 am
by choppsta
I have done this many times and never had any issues with it? As Jenk said, just make sure you have the domain part of the cookie set correctly to make it available to subdomains.

From the manual:
To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'.
http://uk.php.net/manual/en/function.setcookie.php