Sessions with SSL?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
WorldCom
Forum Commoner
Posts: 45
Joined: Sat Jun 24, 2006 8:14 am
Location: Ontario, Canada

Sessions with SSL?

Post by WorldCom »

I've tried to search for Session Help on this and can't really find what I'm looking for.

I have a fully working site, log in, members area, sessions etc.
We are moving the site to a new server and the temporary site is on a secured page.

Now, the session variables are not pulled into the members page.
To check the session variables where being set properly.
I used :

Code: Select all

print_r($_SESSION);
To list the variables at the login page, then exit();
They are all set properly.

On the members page:

Code: Select all

print_r($_SESSION);
if(!isset($_SESSION['username']) | !isset($_SESSION['password'])) {
	mysql_close();
	exit();
	}
This is where the script exits(). Well it normally redirects back to the index page as if you're not logged in, but I took that out so I could see the Arrays. The output is simply Array(). So with my other tests, it seems the session variables are not being carried forward. Is there something more I need for SSL pages?
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Session ID's are stored in cookie's

http://ca3.php.net/manual/en/ref.sessio ... kie-secure

You possibly need to change the value so cookies are sent over SSL

Cheers :)
WorldCom
Forum Commoner
Posts: 45
Joined: Sat Jun 24, 2006 8:14 am
Location: Ontario, Canada

Post by WorldCom »

I assume you mean this command:

Code: Select all

ini_set('session.cookie_secure', 1);
I'm just not sure where to put it. I tried it in my login.php page before session_start(), didn't work.

Now, I also have a header page which I tried ...... same thing.
Question: Do I need it in every page similar to before the session_start() command?

Thanks for any help
Still learning here ;)
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

try:

Code: Select all

ini_set('session.cookie_secure', 'On');
However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't :(
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

Try: http://ca3.php.net/manual/en/function.s ... params.php

You would need to call it before session_start() from what I remember...
WorldCom
Forum Commoner
Posts: 45
Joined: Sat Jun 24, 2006 8:14 am
Location: Ontario, Canada

Post by WorldCom »

Well thanks for all the help ........ this is kinda funny because I can no longer recreate the problem .... my site has just propegated through so there is no longer a secure page there.

Works fine now :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

ole wrote:However this may not address the problem as not all configuration values can be ini_set(). I can't seem to find any documentation on which can and which can't :(
PHP Manual Page for ini_set() wrote:Not all the available options can be changed using ini_set(). There is a list of all available options in the appendix.
http://uk2.php.net/manual/en/ini.php#ini.list
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

...doesn't say which can be ini_set() and which can't.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

ole wrote:
...doesn't say which can be ini_set() and which can't.
PHP_INI_ALL can be set with ini_set() the others cannot.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Weirdan wrote:
..doesn't say which can be ini_set() and which can't.
if I understand the meaning of constants properly, with ini_set you can set all options except those marked as PHP_INI_SYSTEM
I'm not so sure.... PHP_INI_PERDIR doesn't seem to be ini_set() settable. For example, auto_prepend_file falls into this group and how can you auto_prepend a file if you're already in the script? :)
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

d11wtq wrote:PHP_INI_ALL can be set with ini_set() the others cannot.
Oooooh. Thanks for pointing that out to me d11wtq xD
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

http://de2.php.net/manual/en/ini.php wrote:Table G-2. Definition of PHP_INI_* constants
Constant Value Meaning
PHP_INI_USER 1 Entry can be set in user scripts or in Windows registry
PHP_INI_PERDIR 2 Entry can be set in php.ini, .htaccess or httpd.conf
PHP_INI_SYSTEM 4 Entry can be set in php.ini or httpd.conf
PHP_INI_ALL 7 Entry can be set anywhere
User avatar
bokehman
Forum Regular
Posts: 509
Joined: Wed May 11, 2005 2:33 am
Location: Alicante (Spain)

Post by bokehman »

If you are switching to and from http and https or switching domains you will need to carry the session id over using the get method.
Post Reply