Question

switching session variables between http and https

Asked by: coincidence

I am having some problems understanding what I need to do to safely deal with variables being passed between http and https sections of a site I am working on. Both areas are on the same server. I understand that the session variables will NOT pass between the two areas for obvious reasons.

What I am currently doing is logging the user into the site on a non-secure form, once this is done correctly, a number of session variables are created, the user can navigate round the site based on these session variables. They can also click a link to edit their details etc. The session variables for example are firstname and email address. So it always says at the top of all pages...Hello Bob...Since the email address is the unique part of a users details that is also kept in a session variable.

I have also changed this to work in a https environment, but then I can't see these session variables in the non-secure area.

What I want to do is to make the log in and and an edit personal details session be done in the secure https environment. The session data however is different than the non-secure http area, so the session data is lost when moving between each area. I still want to be able to keep track of the user while in this non-secure area and allow them to keep using the same session data.

How do I move between the two states? What is the generally accepted safe way of doing this?

I don't really want to use cookies to do this. I know I could store the session data in a database but there would still be some kind of randomly generated variable put in the database as an alternative to the session id but I am still at a loss as to how to identify the user when moving between http and https?

Thanks for any help and advise.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-07-24 at 11:37:43ID23593288
Tags

apache

,

php

Topics

PHP Scripting Language

,

Secure Socket Layer (SSL) & HTTPS

,

Apache Web Server

Participating Experts
2
Points
500
Comments
28

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Session and cookies ??
    Session variables rely on the cookies. why is that required ?? As Session variables are stored in the server memory , then where the question of the browser supporting cookies come from ? Thanks babashri
  2. Lost Session and Cookie Variables
    When the user enters my app's virtual directory, the default.asp file is loaded. The user id and password is validated against the database. If user is valid, the db connection string is saved as a session variable. The user is then directed to the main menu page. There a...
  3. Cookies to replace Session
    I'm now developing an ASP program for doing billing and checking the reports.. Currently I'm using session and it seems so slow.. There is a suggesstion to use cookies.. can some one help me with technical explanation and example..? For your infor..I also using dll dll for ...
  4. Randomly loosing session state variables between postbac…
    I am new to this site so please bear with me and let me know if I am not following any guidelines. I am including lots of information for the sake of completeness, let me know if you need anything else. I have created a webform in C#.net that uses tab navigation to get thr...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: hernst42Posted on 2008-07-24 at 11:53:17ID: 22082299

You should be able to use the session via http and https. If you don't create the session with secure only. So if you have

https://www.example.com
http://www.example.com

The session should be available in both modes. Are the domain names the same?

 

by: Ray_PaseurPosted on 2008-07-24 at 12:18:46ID: 22082559

If you don't want to use Cookies and can't use Session, you've got a stateless application.  Feh.

Do what PayPal does - put everything behind HTTPS.  Redirect anybody that uses http right over the wall.
No more security worries and no coding hassles.  Those guys at PayPal are pretty smart about this stuff!

HTH, ~Ray

// IF NOT HTTPS
if (empty($_SERVER["HTTPS"])) { 
 
// ESTABLISH WHERE I ENTERED THE SITE
   $my_entry_uri = 'https://' . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
 
// GO TO SECURE SIDE
   header("Location: $my_entry_uri")
   exit;
}
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:

Select allOpen in new window

 

by: coincidencePosted on 2008-07-24 at 12:39:40ID: 22082755

Thanks for the quick response.

hernst42 - I believe I am using my secure server correctly. The domains follow this format:

http://www.mydomain.com
https://secure.mydomain.com

The session variables are not moving from one area to the other.

Ray_Paseur: I appreciate that keeping within the https would theoretically solve my problems, but this not the correct way to do things, as far as I know. For one thing is slows things down and makes use of https and security certificate where it is not needed.

I would really like to try and achieve something similar to say,  how things are done on this site or on Amazon or on any professional site that switches between the two.

Thanks.

 

by: Ray_PaseurPosted on 2008-07-24 at 12:42:21ID: 22082773

That's fine - but it puts you into the world of Cookies and Data Base Sessions.  It's not that it can't be done by any means, it's just another step in the planning process for each page header and each modification of the Session data.

 

by: hernst42Posted on 2008-07-24 at 12:56:45ID: 22082894

This does not work, as its not the same hostname (www!==secure). You can try this:

session_set_cookie_params(0, '.mydomain.com');
session_start();

So the cookie for the session is available for both urls
http://www.mydomain.com
https://secure.mydomain.com

 

by: coincidencePosted on 2008-07-24 at 13:03:10ID: 22082957

If I were to use the database sessions, the problem I have is there still needs to be some kind of interlinking variable. Am I correct in thinking that I will need to use a cookie to link the two? And if I do that is just using cookies just as "safe"?

 

by: Ray_PaseurPosted on 2008-07-24 at 13:47:13ID: 22083368

The cookie is the interlinking variable.  Here's what I do...

Check a flag to see if the user said "Remember Me" - loong term cookie if so.
Assign a hash string (camp_cookie).
Assign a name.
Assign a path of '/' so the cookie is available to the entire domain.
Assign a domain starting WITHOUT the www prefix to make the cookie available on all subdomains
Assign secure = FALSE so the cookie is sent to http and https both
Assign http = TRUE to help keep the cookie out of the hands of Javascript.

Man Page Here:
http://us3.php.net/manual/en/function.setcookie.php

Then you can use the hash string to access stored variables in the data base.  Does that makes sense?

// SET A COOKIE TO REMEMBER THE LOGIN?
	if ($cFlag == '') {
		$cookie_expires	= 0; // EXPIRE AT END OF SESSION
	} else {
		$cookie_expires	= time() + 6*60*60 + $my_cookie_life;  // +6 HOURS FOR GMT (SERVER IN CENTRAL TIME)
	}
	$cookie_value	= $_SESSION["camp_cookie"];
	$cookie_name 	= "$my_login_cookie";
	$cookie_path	= '/';
	$cookie_domain	= str_replace('www', '', strtolower($_SERVER["HTTP_HOST"])); // STARTS WITH DOT
	$cookie_secure	= FALSE;
	$cookie_http	= TRUE;
	if (!setcookie($cookie_name, $cookie_value, $cookie_expires, $cookie_path, $cookie_domain, $cookie_secure, $cookie_http)) { /* echo "Cookie Failed"; */ }
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:

Select allOpen in new window

 

by: hernst42Posted on 2008-07-24 at 13:53:52ID: 22083433

use proper settings for session_set_cookie_params and you don't need you own cookie or database sessions.

 

by: Ray_PaseurPosted on 2008-07-24 at 14:44:43ID: 22083844

@hernst42, I guess it would be an application-dependent choice - whether you needed cookies or database state information. I need some cookies to outlive the browser session, so I had to set my own cookies anyway - the "welcome back" type.  In the process of researching it, I came to the conclusion that my code library should look like the snippet above for the kinds of cookies that I wanted in http and also in https.  I have always found cookies to be useful app design elements, beyond just keeping session state.  But the Asker said he did not want to use cookies, and I take him at his word.  However, if I were in his position, I would be tempted to just put everything behind HTTPS and be done with the issue.  More than one way to skin the cat, for sure.

Best to all, ~Ray

 

by: coincidencePosted on 2008-07-25 at 08:08:34ID: 22089237

Hi, thanks for the continued advise. If use the session_set_cookie_params how would integrate this into my current code. I am having some trouble. The following is the code I have, I am probably being too simplistic trying to get it to work like it did, and I am probably missing the point! Perhaps you can suggest a solution. Thanks...

//---------------------------------------------------------------------
//---------------------------------------------------------------------
 
//the code below is on the page that the login page goes to when the submit button is pressed...
 
include("../private/[databaseinfofile]");
mysql_connect(localhost,$username,$password);
@mysql_select_db($database) or die( "Unable to select database...");
 
require_once('CU.php');
require_authentication_frontend();
 
...
 
session_set_cookie_params(0, '.mydomain.com');session_start(); 
// added suggested line above
 
$_SESSION['name'] = "MY_SESSION_NAME";
 
//create the session variables and other variables
$_SESSION['user_id'] = $record['forename']." ".$record['surname'];
$_SESSION['level'] = $record['level'];
$_SESSION['email'] = $record['email'];
$_SESSION['sess_id'] = session_id();
$_SESSION['agent'] = md5($_SERVER['HTTP_USER_AGENT']);
$ipaddress=$_SERVER['REMOTE_ADDR'];
$customeremail=$_SESSION['email'];
$sessionid=session_id();
 
//update the customer's login-info with number of attempts
$sql="UPDATE customers SET session_id='$sessionid'....[otherstuff put in db too]...WHERE email='$n'";
mysql_query($sql);
 
...
 
//---------------------------------------------------------------------
//---------------------------------------------------------------------
 
//CU.php
//The following is what is on CU.php
//CU.php is called on every page...
 
 
session_set_cookie_params(0, '.mydomain.com');session_start(); 
// added suggested line above
session_start();
 
/**
 * this redirects a non-logged in user to login.php
 * if logged in, nothing happens...
*/ 
 
function require_authentication_frontend() 
{
 
  global $custName;
  
  $_SESSION['name'] = "MY_SESSION_NAME";
  $ok=true;
  
  if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) 
  {
  $ok=false;
  }
  
  if ($ok)
  {
  
    if(isset($_SESSION['user_id'])) 
    {
    	
    	$custName=$_SESSION['user_id'];
    	if ($custName=="") 
    	{
    		
    		$_SESSION = array();
    		$custName="Guest";
  			return $custName;
    	}
    	//the session is valid and user is logged in
    	else  
    	{ 
    		return $custName; 
    	}
    }
    else
  	{
    	
    	$custName="Guest";
  		return $custName;
  	}
    
  }
  else
  {
 
   	$custName="Guest";
  	return $custName;
  }
  exit(); // Quit the script.
}
 
//---------------------------------------------------------------------
//---------------------------------------------------------------------

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:

Select allOpen in new window

 

by: coincidencePosted on 2008-07-25 at 08:10:47ID: 22089254

sorry I had a slight typo in there - CU.php should only have one session_start();!

 

by: hernst42Posted on 2008-07-25 at 08:20:02ID: 22089332

CU.php should look like:

<?php
 
session_set_cookie_params(0, '.mydomain.com');
session_start();

                                              
1:
2:
3:
4:

Select allOpen in new window

 

by: coincidencePosted on 2008-07-25 at 08:25:33ID: 22089393

Hi hernst42

Sorry there was a slight typo - so it does actually look like that. The problem is that when I try and add the code the suggested code the $_SESSION['user_id'] doesn't seem to be staying anymore...I remove the the line of code with session_set_cookie_params in it  and it starts working...

 

by: hernst42Posted on 2008-07-25 at 08:27:29ID: 22089418

If you add/change that line you will need to clear all cookies to make it work correctly, else the old session-cookie and new session-cookie overlap, which leads to unpredictable results.

 

by: coincidencePosted on 2008-07-25 at 09:11:04ID: 22089897

Hi Hernst42

I've cleared all the cookies, and im afraid the result is still the same, the following are the two cookies that were generated:

secure.mydomain.com  PHPSESSID   .mydomain.com ce4032423432699fe24a098
www.mydomain.com     PHPSESSID   .mydomain.com 432d2434f43242a4324fr324

I added a var_dump to see what was happening and the session data seems to get wiped. If I remove the set_session_cookie_params the session data is preserved.

To clean things up a bit and and to make it easier I also removed the following with the sscp in place, but to no avail :(:

 if (!isset($_SESSION['agent']) OR ($_SESSION['agent'] != md5($_SERVER['HTTP_USER_AGENT'])) ) 
  {
  $ok=false;
  }

                                              
1:
2:
3:
4:

Select allOpen in new window

 

by: hernst42Posted on 2008-07-25 at 11:02:53ID: 22090875

The values for the cookies PHPSESSID should be the same for both servers, if not the session data is not shared.

Don't know why the session is not found correctly. Are you sure that are no cookies for www.mydomain.com which are valid for www.mydomain.com  and not .mydomain.com. Do you have an URL where this can be tested with cookie_params. I want to check it by my own.

 

by: coincidencePosted on 2008-07-26 at 06:26:51ID: 22094973

I am pretty sure there are no cookies, I deleted them all, have tried it on multiple browsers, and restarted the computer too. I only have the url that will eventually be the live url. Is there some way I can get it to you without having to broadcast the url to the world...

Thanks again for your help on this...

 

by: Ray_PaseurPosted on 2008-07-26 at 07:31:01ID: 22095167

@coincidence: Do you have Firefox?  If so, you can go Tools => Options => Privacy => Show Cookies and find what's in the cookies for your domain.  HTH, ~Ray

 

by: coincidencePosted on 2008-07-26 at 10:20:11ID: 22095589

Hi Ray -

yeah thats where I got the info I mentioned in a couple of posts above...

 

by: Ray_PaseurPosted on 2008-07-26 at 11:11:56ID: 22095740

Possibly your secure and unsecure servers are not on the same machine?

http://markmail.org/message/agm4gehiawycdnpo

Don't know if that's the case, but if they are on different machines, it might explain different SESSID.

 

by: coincidencePosted on 2008-07-26 at 15:13:29ID: 22096428

Grrr.....I wish I had *@£&!&$ checked that before.

I just did a ping of the two sites and the IP addresses are different. It is a shared ssl so I guess that makes sense but If I want to continue using this shared SSL how do I get round it without doing everything in https?

 

by: Ray_PaseurPosted on 2008-07-26 at 15:57:46ID: 22096559

Sorry, I don't know how to get around it - that's too deep into the internals of PHP for me!.  

I would probably opt for (1) using my own cookie and/or (2) going 100% HTTPS. I don't know another way of getting around this with just PHP commands.  I realize that HTTPS is somewhat slower than clear text, but if you are not sending a lot of images and graphics it may be OK, performance-wise.

The overall workflow I follow is this:

1. get cookie from browser
2. if cookie, get state information from data base
 -- do stuff --
3. put state information into data base
4. put cookie on browser

You can put anything you want into "state information"... and you can easily set a cookie that is both HTTP and HTTPS, so you are not dealing with a lot of variables and you can put much of this logic into the header of each page or into a single function call.

Best of luck, ~!Ray

 

by: coincidencePosted on 2008-07-28 at 05:42:37ID: 22102478

I think that the code I have is probably adaptable to what you are suggesting.

Could I keep the session variables for the most part but then put the session id in in a cookie (available on both servers) and also put it in the database with the other session data?

 I am not very adept at cookies could you suggest how I might adapt the code, ie - the function require_authentication_frontend and the code above that where I put the session data into the database at login?

I am still now clear on how I would make the cookie available on both servers?

Also what are the implications of doing this in terms of security? Would it make it easier to hijack a session now that I have a cookie?

Thanks.

 

by: Ray_PaseurPosted on 2008-07-28 at 06:45:12ID: 22103036

OK: Cookie fundamentals.  The cookie is not on the server - it is on the browser.  The $_SESSION array is on the browser.  That's why you have the problem.

The contents of the cookie determines when the browser should send the cookie to the server.  The cookie generation code I posted above will tell the browser to present the cookie to either http or https for any subdomain or datapath of $_SERVER["HTTP_HOST"] - that's about as universal as I can make it.

You can put almost anything you want in the cookie variables.  One thing might be a hash string on $_SERVER["REMOTE_ADDR"] - it this changes, you can consider the cookie invalid.  I _think_ that will not kill dial-up AOL clients, but I could be wrong.  

Another thing might be an encoded string (that can be decoded) giving a cookie expiration date.  That will make it a little harder for a hacker to use the old cookie.  The cookie expiration date is information that is stored on the client machine.  In a strictly secure environment you cannot trust it.  In the "real world" you may find that the times are different between the client and the server.  That's why I control for elapsed time on the server.

You can serialize or unserialize $_SESSION if you're using it as an associative array.  (If you've got complicated stuff like objects and resources in $_SESSION, you're asking for trouble.)  You can store and retrieve the serialized session data - put it in a data base as a text string.  An encoded DB key might be one of the things you would store in the cookie.

In PHP, cookies are NOT available to the script that sets them - only to the subsequent scripts.  To deal with this, I set the cookies in the login script and also set an indicator in $_SESSION that the client is logged in.  Obviously, your $_SESSION variable is not capable of carrying that information, so you must rely on the cookie.  That's why I would hash the remote address and encode the expiration date, etc.

Are you more vulnerable?  That depends on how carefully you code around the threats that may attack your site.  Google Chris Shiflett (security expert, not Foo Fighter) and follow his advice.  He blogs and speaks on these topics regularly and is a well-respected expert.  If you don't put everything behind HTTPS you are more vulnerable at one level or another.

Here is the general workflow:

1. Check Cookie
  Does it match any cookie in my data base?
  Does its REMOTE_ADDR hash match the current hash?
  Does its decoded time return a time within my permissible session life?
  If the answer to any of these is "no", redirect to Login Page

2. Extract the contents of the data base for this cookie
  Put these data into $_SESSION
  Update the cookie time code to reflect new lifetime
  Put the cookie into the data base
  setcookie() on the browser

3. Process the rest of the script.

4. For the Logout Page, do something like the code snippet.

Confronted with all this, you might say to yourself, "Why not just go with HTTPS?"

;-)

Good luck, ~Ray

$cookie_name 	= "$my_login_cookie";
$cookie_value	= "X";
$cookie_expires	= time() - 42000,
$cookie_path	= '/';
$cookie_domain	= str_replace('www', '', strtolower($_SERVER["HTTP_HOST"])); // STARTS WITH DOT
$cookie_secure	= FALSE;
$cookie_http	= TRUE;
if (!setcookie($cookie_name, $cookie_value, $cookie_expires, $cookie_path, $cookie_domain, $cookie_secure, $cookie_http)) { /* echo "Cookie Failed"; */ }
 
$_SESSION = array();
if (isset($_COOKIE[session_name()])) {
	setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
 
header("Location: /");
exit;
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:

Select allOpen in new window

 

by: coincidencePosted on 2008-07-28 at 12:48:09ID: 22106255

im afraid I am still having a few problems. I have added the code you suggested. I have removed the cFlag if else statement but kept the cookie expires part.

 I have removed all the cookies in the browser.

I put the suggested code into my login code and the cookie appears in secure domain cookies. The way I can tell this is working is that I added this code to CP.php

  if(isset($_COOKIE['mycookiename'])) { echo "your cookie was found..."; }

This works in the secure area, but it doesn't work in the non-secure area. It appears to be the same problem I had with the code suggested by hernst42.

As I mentioned above, two different servers are being used here by the host. The IP addresses are DIFFERENT. If that makes any difference to your suggested solution...

Thanks again...

 

by: Ray_PaseurPosted on 2008-07-28 at 12:56:24ID: 22106329

Please send me a link.  You can post it like this if you want to obscure from Google: I can figure it out.  Also, please post the code you're using.  I'll have one more look. ~Ray

w mydomain c  -- or --  w mydomain n

 

by: coincidencePosted on 2008-07-29 at 03:04:42ID: 22109933

Hi Ray_Passeur

Thanks for your help. I have managed to fix the problem. I should have noticed this... since the cookies are originally created in the secure area, instead of the line:

$cookie_domain  = str_replace('www', '', strtolower($_SERVER["HTTP_HOST"])); // STARTS WITH DOT

I should have changed it to:

$cookie_domain  = str_replace('secure', '', strtolower($_SERVER["HTTP_HOST"])); // STARTS WITH DOT

Once I did this, the cookies became visible in both areas of the domain.

 

by: Ray_PaseurPosted on 2008-07-29 at 03:52:26ID: 22110230

Sorry, I saw that in your information above and looked right past it --  I should have caught that, too!  

Anyway, thanks for the interesting problem and good luck as you go forth.  Best regards, ~Ray

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...