Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

HTTPS Problem

Posted on 2006-03-20
25
Medium Priority
?
231 Views
Last Modified: 2010-08-05
Hello,

My site uses HTTP for normal browsing but my login form redirects to a page that is HTTPS protocol, for some reason ever since I allowed this session cookies do not work right away unless I start browsing with HTTPS...However, if i start with HTTP, I must first switch to HTTPs for the login to work. Does that make sense? What can I do to fix this problem, it looks as if PHP treats it as two different sessions.


Brian
0
Comment
Question by:BrianGEFF719
  • 10
  • 7
  • 4
  • +1
25 Comments
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16244584
oh wait,

here i think is where the problem is:

http://www.mysite.com
https://mysite.com

when I goto http://mysite.com -> it switches between http & https just fine its the mix of the www and the no wwww.


How can I get around this without it treating it as seperate domains?


brian
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16244601
I think you need to somehow transfer your session variables over when crossing between HTTP and HTTPS.  You could try to store them in $_COOKIE and then reload them after the crossover.  Just don't try to pass the session ID in the URL, as that's pretty insecure.
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16244624
Ah, I see your problem... and this is with session cookies only and not cookies you are setting yourself, right?  Pretty sure you need to change the session cookie domain in your config.. there are a couple easy options:

In PHP.ini:

session.cookie_domain = ".yourdomain.com"

Or you can set it in your scripts using ini_set:

ini_set ( 'session.cookie_domain', '.yourdomain.com' );
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16244630
Here is the problem, typically people will navigate to http://www.mysite.com, i need the session cookies to be started once they attempt to login, however, every http page checks for the session cookies and calls a session_start()...this is a weird situation. Btw, its a shared hosting server so I have no access to php.ini

Brian
0
 
LVL 3

Expert Comment

by:Denisvt
ID: 16244652
Do you NEED to go to http://mysite.com ? Or is this just your domain or default server config that allow it and would you rather use  www.mysite.com ?
(Note that if your SSL certificate was generated for www.mysite.com it will most likely NOT be accepted right away for http://mysite.com and will throw an alert that may be scary to some users).
It may be useful for you to not let anybody enter your site without www., thanks to an htaccess file :

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.mysite.com$
RewriteRule ^(.*)   http://www.mysite.com/$1  [QSA,L,R=301]


I hope this helps.
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16244687
i would prefer they not use www.

http://mysite.com -> https://mysite.com (WORKS)
http://www.mysite.com -> https://mysite.com (DOES NOT WORK)

Because the cerificate is https;//mysite.com, it has to do this switch. Does it cause a problem to prevent people from using www.mysite.com?


Brian
0
 
LVL 3

Expert Comment

by:Denisvt
ID: 16244739
If your certificate was setup for https://mysite.com you will get a warning for any other URL.
If you want to get rid if the WWW you can simply update the rewrite rule :

RewriteCond %{HTTP_HOST} !^www.mysite.com$
RewriteRule ^(.*)   http://mysite.com/$1  [QSA,L,R=301]
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16244759
Well, it's a habit of most people to type in www. before a domain when visiting a web site (heck, some people want to put a www. in front of everything!).  You could try this to "force" people to use your domain without the www.

if (substr($_SERVER['HTTP_HOST'], 0, 4) == "www.") {
    $url = "http://" . substr($_SERVER['HTTP_HOST'], -4,  0) . $_SERVER['PHP_SELF'];
        if (!empty($_SERVER['QUERY_STRING'])) {
            $url .= "?" . $_SERVER['QUERY_STRING'];
        }
    header("Location: " . $url);
}

Put that at the top of your code and it will automatically and instantly redirect visitors that try to access your pages with "www." in the url.
0
 
LVL 3

Expert Comment

by:Denisvt
ID: 16244843
A $_SERVER['HTTP_HOST'] rule can work fine too that's right, but a global Mod_rewrite rule only has to be setup once site-wide, and will let people type whichever address they want, it will work for both but R(edirect) them to the "www-less" URL.
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16250352
Will rewrite work in sub directories? or do I need to add it to each .htaccess file in each directory?


Brian
0
 
LVL 3

Expert Comment

by:Denisvt
ID: 16250581
If you place that instruction in the base directory it will apply to all files on your domain whether in the root or in subdirs - you could also insert it directly in the Apache config so that it also applies to your whole domain.
0
 
LVL 4

Expert Comment

by:TheMaximumWeasel
ID: 16253571
just have php redirect to https before setting cookie's then make it so all cookies are https.

Max
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16253965
>>just have php redirect to https before setting cookie's then make it so all cookies are https.

here is the problem, the page that redirects to https already starts a session to check if the user is logged in.


Brian
0
 
LVL 4

Expert Comment

by:TheMaximumWeasel
ID: 16253982
then in the url using get pass the session ID that way the https:// pages can use the same session.

Max
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16253992
how do you pass the session id?
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16254016
oh wait, PHP is already doing that for me, it is adding PHPSESSID to my form anyway. And clearly that does not fix the problem.


Brian
0
 
LVL 4

Expert Comment

by:TheMaximumWeasel
ID: 16254032
post me what the form code looks like in the source so I can see the sessid.

Max
0
 
LVL 4

Expert Comment

by:TheMaximumWeasel
ID: 16254037
and to restore that session id try this.

session_name() = $_GET['PHPSESSID'];

Max
0
 
LVL 15

Accepted Solution

by:
Tomeeboy earned 2000 total points
ID: 16254288
I'm not so sure it's a great idea to pass the session ID in the URL...

Brian, did you try using the following?

ini_set ( 'session.cookie_domain', '.yourdomain.com' );

You may not have direct access to php.ini, but I'm not so sure that would stop this function from working.  It changes the setting for the duration of the script then changes it back at the end... it's not a permanent modifcation to  php.ini.  I've heard of it being used on shared servers before, although I don't know your particular set up.  You should at least try it though, before you even think of passing session IDs in the URL (which is a potential security risk).
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16254294
That line should go at the at the top of your scripts by the way.
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16254809
will:

ini_set ( 'session.cookie_domain', '.yourdomain.com' );



will this work accross two subdomains because thats basically the situation I am in, if that will work with both www.mysite.com and mysite.com, then that is an acceptable solution as it would only require an addition of 1 line of code to a header php script.


Thanks.

Brian
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16254994
Yes, that is why we leave the "www" off the front of the cookie_domain and just have ".yourdomain".  This allows session cookies to work across sub-domains.
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16255096
I will give it a try, i'm pretty busy this week, I will try to go over all this stuff by the end of the week.

Brian
0
 
LVL 19

Author Comment

by:BrianGEFF719
ID: 16275648
Tomeeboy: Your solution worked perfect, I added it to one file and it fixed the problem.

Thanks.

Brian
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16275729
That's great!  Glad it's working for you ;)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question