By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,634 Members | 1,898 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,634 IT Pros & Developers. It's quick & easy.

Sessions across http/https

P: n/a
I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.

The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).

The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.

Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.

I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.

So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?

Any help much appreciated.
--
Grunff
Aug 9 '05 #1
Share this Question
Share on Google+
12 Replies


P: n/a
Grunff wrote:
I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.

The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).

The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.

Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.

I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.

So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?

Any help much appreciated.


Hi,

I do not have a solution, but maybe something to get you going:
SESSION are based on some value of PHPSESSID, most of the time stored in a
cookie on the client browser.

Cookies set by a certain domain cannot be accessed by another domain.
Is it possible you switch also domains when you wsitch from http to https?

Like:
http://www.babelfish.com
to
https://www.purchasebabelfishhere.com

Regards,
Erwin Moller
Aug 9 '05 #2

P: n/a
Erwin Moller wrote:
I do not have a solution, but maybe something to get you going:
SESSION are based on some value of PHPSESSID, most of the time stored in a
cookie on the client browser.

Cookies set by a certain domain cannot be accessed by another domain.
Is it possible you switch also domains when you wsitch from http to https?

Like:
http://www.babelfish.com
to
https://www.purchasebabelfishhere.com

Hi Erwin,

No, it's all on the same domain - we're just switching from
http://mydomain.dom to https://mydomain.dom.

What's more, I can access the session ID without any problems (this
would not be the case if I was switching domains).

But thanks anyway :-)

--
Grunff
Aug 9 '05 #3

P: n/a
Grunff wrote:
I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.

The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).

The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.

Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.

I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.

So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?

Any help much appreciated.


There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:

<input type="hidden" name="session_data" value="<?php echo
base64_encode(serialize($_SESSION)) ?>" />

Then when you receive the POST do something like:
<?php
if(isset($_POST['session_data']))
$_SESSION=unserialize(base64_decode($_POST['session_data']));
?>

Of course, you'd want to validate the data before doing this, but it
should give you an idea of what you may be able to accomplish.

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Aug 9 '05 #4

P: n/a
Justin Koivisto wrote:
There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:


Hi Justin,

I understand both your solutions, but I'm still confused as to why it is
necessary - why is it that switching protocols creates a separate
session with the same ID? Is this just the way sessions are implemented
in php?

Thanks.

--
Grunff
Aug 9 '05 #5

P: n/a
Grunff wrote:
Justin Koivisto wrote:
There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:


Hi Justin,

I understand both your solutions, but I'm still confused as to why it is
necessary - why is it that switching protocols creates a separate
session with the same ID? Is this just the way sessions are implemented
in php?


As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.) I know this happens in ASP as well
as PHP, so I don't think it's actually a php implementation that is
causing it. Also, the fact that it happens in IIS as well as apache
makes me think it isn't a web server software issue either. The fact
that you are getting the same session id on each of the servers is quite
curious to me. How are you retrieving the session id for inspection? Are
you using session_id() to view and compare?

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Aug 9 '05 #6

P: n/a
Justin Koivisto wrote:
As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.) I know this happens in ASP as well
as PHP, so I don't think it's actually a php implementation that is
causing it. Also, the fact that it happens in IIS as well as apache
makes me think it isn't a web server software issue either. The fact
that you are getting the same session id on each of the servers is quite
curious to me. How are you retrieving the session id for inspection? Are
you using session_id() to view and compare?

Yes, precisely - calling session_id() retrieves the same ID from http
and https. And yet calling $_SESSION['s_userid'] will retrieve the value
only from whichever protocol it was set (that is, if I set it via http,
I can retrieve it via http).

I've started rewriting it to store all session data in the db instead of
as session variables.

Thanks for your help, it is appreciated.
--
Grunff
Aug 9 '05 #7

P: n/a
On 2005-08-09 16-27-39 Grunff <gr****@ixxa.com> wrote:
I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.

The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).

The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.

Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.

I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.

So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?

Any help much appreciated.


Is your HTTPSd configured to use other temporary directories? Or maybe the
secure site runs under a different user, so the user is not allowed to read
the existing session? (Safe mode postfixes Authentication realms with the
user id, so it is possible, that the files holding the session data are
prefixed, too.)

HTH,
Simon
--
Simon Stienen <http://slashlife.org/>
"What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done."
/Sherlock Holmes in A Study in Scarlet by Sir Arthur Conan Doyle/
Aug 9 '05 #8

P: n/a
Simon Stienen wrote:
Is your HTTPSd configured to use other temporary directories?
I didn't know that could be done - would that be done in httpd.conf? I
can't find a directive that looks like it is doing this.

Or maybe the
secure site runs under a different user, so the user is not allowed to read
the existing session? (Safe mode postfixes Authentication realms with the
user id, so it is possible, that the files holding the session data are
prefixed, too.)


No, same user (I was really hopeful when I read this suggestion, but it
doesn't appear to be the case :-()
Thanks for your thoughts.

--
Grunff
Aug 9 '05 #9

P: n/a
On 2005-08-09 22-23-44 Grunff <gr****@ixxa.com> wrote:
Simon Stienen wrote:
Is your HTTPSd configured to use other temporary directories?
I didn't know that could be done - would that be done in httpd.conf? I
can't find a directive that looks like it is doing this.


It was just a thought... I don't know, whether it is possible, but if there
is no directive in you httpd.conf, this is not the case anyway...
Thanks for your thoughts.

Sorry they weren't leading to any better results... :/

Regards,
Simon
--
Simon Stienen <http://slashlife.org/>
"What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done."
/Sherlock Holmes in A Study in Scarlet by Sir Arthur Conan Doyle/
Aug 9 '05 #10

P: n/a
Simon Stienen wrote:
Sorry they weren't leading to any better results... :/


They were much appreciated none the less.

I've now implemented the workaround suggested by Justin, saving all the
session data to the db. Wasn't fun, but it's all done now. I'll know for
next time :-)

Thanks all.
--
Grunff
Aug 9 '05 #11

P: n/a
Keep in mind that the use of the session id from http in https means no
protection from session-hijacking.

Aug 10 '05 #12

P: n/a
Justin Koivisto wrote:
As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.)


If I remember correctly, a cookie would be sent for both
http://example.com and https://example.com if it isn't marked as
secure. If it is, then it's sent only for a request to
https://example.com.

Aug 10 '05 #13

This discussion thread is closed

Replies have been disabled for this discussion.