I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.
The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).
The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.
Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.
I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.
So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?
Any help much appreciated.
--
Grunff
12  5144 
Grunff wrote: I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.
The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).
The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.
Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.
I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.
So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?
Any help much appreciated.
Hi,
I do not have a solution, but maybe something to get you going:
SESSION are based on some value of PHPSESSID, most of the time stored in a
cookie on the client browser.
Cookies set by a certain domain cannot be accessed by another domain.
Is it possible you switch also domains when you wsitch from http to https?
Like: http://www.babelfish.com
to https://www.purchasebabelfishhere.com
Regards,
Erwin Moller
Erwin Moller wrote: I do not have a solution, but maybe something to get you going:
SESSION are based on some value of PHPSESSID, most of the time stored in a
cookie on the client browser.
Cookies set by a certain domain cannot be accessed by another domain.
Is it possible you switch also domains when you wsitch from http to https?
Like:
http://www.babelfish.com
to
https://www.purchasebabelfishhere.com
Hi Erwin,
No, it's all on the same domain - we're just switching from http://mydomain.dom to https://mydomain.dom.
What's more, I can access the session ID without any problems (this
would not be the case if I was switching domains).
But thanks anyway :-)
--
Grunff
Grunff wrote: I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.
The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).
The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.
Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.
I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.
So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?
Any help much appreciated.
There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:
<input type="hidden" name="session_data" value="<?php echo
base64_encode(serialize($_SESSION)) ?>" />
Then when you receive the POST do something like:
<?php
if(isset($_POST['session_data']))
$_SESSION=unserialize(base64_decode($_POST['session_data']));
?>
Of course, you'd want to validate the data before doing this, but it
should give you an idea of what you may be able to accomplish.
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
Justin Koivisto wrote: There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:
Hi Justin,
I understand both your solutions, but I'm still confused as to why it is
necessary - why is it that switching protocols creates a separate
session with the same ID? Is this just the way sessions are implemented
in php?
Thanks.
--
Grunff
Grunff wrote: Justin Koivisto wrote:
There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:
Hi Justin,
I understand both your solutions, but I'm still confused as to why it is
necessary - why is it that switching protocols creates a separate
session with the same ID? Is this just the way sessions are implemented
in php?
As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.) I know this happens in ASP as well
as PHP, so I don't think it's actually a php implementation that is
causing it. Also, the fact that it happens in IIS as well as apache
makes me think it isn't a web server software issue either. The fact
that you are getting the same session id on each of the servers is quite
curious to me. How are you retrieving the session id for inspection? Are
you using session_id() to view and compare?
--
Justin Koivisto, ZCE - ju****@koivi.com http://koivi.com
Justin Koivisto wrote: As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.) I know this happens in ASP as well
as PHP, so I don't think it's actually a php implementation that is
causing it. Also, the fact that it happens in IIS as well as apache
makes me think it isn't a web server software issue either. The fact
that you are getting the same session id on each of the servers is quite
curious to me. How are you retrieving the session id for inspection? Are
you using session_id() to view and compare?
Yes, precisely - calling session_id() retrieves the same ID from http
and https. And yet calling $_SESSION['s_userid'] will retrieve the value
only from whichever protocol it was set (that is, if I set it via http,
I can retrieve it via http).
I've started rewriting it to store all session data in the db instead of
as session variables.
Thanks for your help, it is appreciated.
--
Grunff
On 2005-08-09 16-27-39 Grunff <gr****@ixxa.com> wrote: I'm experiencing an interesting problem with carrying a php session over
from http to https. Much googling later, I'm still stuck.
The application is an online shop, where some user data is stored in the
session. As the user proceeds to checkout, we switch over to https. This
is all done on the same physical server, under the same domain (which
has an SSL cert).
The session ID is carried over fine - I can read the session ID from
http and https and it is the same. However, when I try to access a
session variable e.g. $_SESSION['s_userid'], I can only do it using
whichever protocol was used to write the variable in the first place.
Let me explain more. If I save some user info in session variables from
pages accessed via http, then I try to read these variables from pages
accessed via https, they are empty.
I just want to make it clear that the problem is not that the session ID
is not available to the https pages - it is, and it's the same session id.
So, any idea what's going on here? It seems that there are two sessions
being created with the same session ID, one for http and one for https.
Is that what happens? if so, how do I get around it? How do I access the
session data from my https pages?
Any help much appreciated.
Is your HTTPSd configured to use other temporary directories? Or maybe the
secure site runs under a different user, so the user is not allowed to read
the existing session? (Safe mode postfixes Authentication realms with the
user id, so it is possible, that the files holding the session data are
prefixed, too.)
HTH,
Simon
--
Simon Stienen <http://slashlife.org/>
"What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done."
/Sherlock Holmes in A Study in Scarlet by Sir Arthur Conan Doyle/
Simon Stienen wrote: Is your HTTPSd configured to use other temporary directories?
I didn't know that could be done - would that be done in httpd.conf? I
can't find a directive that looks like it is doing this.
Or maybe the
secure site runs under a different user, so the user is not allowed to read
the existing session? (Safe mode postfixes Authentication realms with the
user id, so it is possible, that the files holding the session data are
prefixed, too.)
No, same user (I was really hopeful when I read this suggestion, but it
doesn't appear to be the case :-()
Thanks for your thoughts.
--
Grunff
On 2005-08-09 22-23-44 Grunff <gr****@ixxa.com> wrote: Simon Stienen wrote:
Is your HTTPSd configured to use other temporary directories?
I didn't know that could be done - would that be done in httpd.conf? I
can't find a directive that looks like it is doing this.
It was just a thought... I don't know, whether it is possible, but if there
is no directive in you httpd.conf, this is not the case anyway...
Thanks for your thoughts.
Sorry they weren't leading to any better results... :/
Regards,
Simon
--
Simon Stienen <http://slashlife.org/>
"What you do in this world is a matter of no consequence,
The question is, what can you make people believe that you have done."
/Sherlock Holmes in A Study in Scarlet by Sir Arthur Conan Doyle/
Simon Stienen wrote: Sorry they weren't leading to any better results... :/
They were much appreciated none the less.
I've now implemented the workaround suggested by Justin, saving all the
session data to the db. Wasn't fun, but it's all done now. I'll know for
next time :-)
Thanks all.
--
Grunff
Keep in mind that the use of the session id from http in https means no
protection from session-hijacking.
Justin Koivisto wrote: As I understand it, a request for http://example.com is different than a
request for https://example.com when dealing with cookies. (That is why
I might send a session id as a get or post parameter and read the
database for the session contents.)
If I remember correctly, a cookie would be sent for both http://example.com and https://example.com if it isn't marked as
secure. If it is, then it's sent only for a request to https://example.com. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Florence HENRY |
last post by:
Hello again,
I still do not master everything about cookies and session. :o/
After some tests, I understood that when a visitor has several browser
windows open on my website, the same session...
|
by: shank |
last post by:
I'm trying to use a couple of Session variables within SSL.
My form submits to the same page and this is at the top of the page.
<%
Session("ShipAhead") = Request.Form("ShipAhead")...
|
by: Ik Ben Het |
last post by:
Hello,
I posted a simular question in the "IIS Security" group but it think it
is more usefull to post it here.
I want to do something very simpel. Make a part of my website available
only...
|
by: Shankar Reddy |
last post by:
Hi All,
Problem: Data is being shared across multiple sessions in ASP.NET!
Does anybody come across this kind of situation where session data or view
state data is being shared across...
|
by: MisterKen |
last post by:
It appears that I'm losing values for session variables when I move from a
page like http://www.my_site.com/catalog.aspx to
https://www50.ssldomain.com/my_site/login.aspx and vice versa.
Are...
|
by: lorenzdominic_ |
last post by:
Hi
I am new to sessions and php and have been playing around with them -
and would like to know why this is happening?
Firstly I have a login page and it goes to a verify page which creates
a...
|
by: magic_hat60622 |
last post by:
Hi all. I've got an app that dumps a user id into a session after
successful login. the login page is http://www.mydomain.com/login.php.
If the user visits pages on my site without the www (i.e.,...
|
by: Ben Holness |
last post by:
Hi all,
I have a php/mysql website where people can upload their own graphics for
the buttons and background of pages on the website.
This used to run on one server, but I have now been asked...
|
by: amygdala |
last post by:
Hello all,
I have posted a similar question in comp.lang.php in the past, but haven't
had any response to it then. I kinda swept the problem under the rug since
then. But I would really like to...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
| |
