Sessions / https problem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Sessions / https problem

Post by Unipus »

I've got a fairly major problem whereby session ids are being just randomly reassigned for reasons I can't comprehend. A user will be on the site, has a session ID... I can track them and have been.

As soon as they move over to https, potential for tragedy begins and the server seems to be deciding willy-nilly to hand out new IDs. I've seen a single user in a single browsing session with 3 different session IDs. It doesn't seem to necessarily do it EVERY page but it often does. Now, all the session data is being maintained; if that user goes BACK to regular http, they can regain their old session id and see all their data is still there. I'm totally lost on this now.

I should mention that this affects only a small number of people. And from the statistics I've gathered there is NO connection between them in terms of time of day, browser, platform, IP, or anything else that might make sense.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'd bet the session cookie is switching from secure to unsecure and back.. If this is happening, new cookies will get assigned with new id's.. you may want ensure the cookies are getting set exactly the same throughout.. You may need to pass the session id via urls when switching between http and https... dunno after that. :?
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

Here's the thing about that: session.use_trans_sid is and always has been ON. And I've tried explicitly sending the session ID myself. This works, but the second the user comes across a page on the https side that doesn't have that assigned session id, it invents a new one. It's pretty hard for me to cover all possible ways to navigate these pages, and I don't understand why it would be doing that in the first place!
Unipus
Forum Contributor
Posts: 409
Joined: Tue Aug 26, 2003 2:06 pm
Location: Los Angeles, CA

Post by Unipus »

someday, somewhere, somehow, I will find someone who knows what the hell is going on. maybe, maaaybe, that person will even be me!
Post Reply