HTTPS Problem

Hello,

My site uses HTTP for normal browsing but my login form redirects to a page that is HTTPS protocol, for some reason ever since I allowed this session cookies do not work right away unless I start browsing with HTTPS...However, if i start with HTTP, I must first switch to HTTPs for the login to work. Does that make sense? What can I do to fix this problem, it looks as if PHP treats it as two different sessions.


Brian
LVL 19
BrianGEFF719Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

BrianGEFF719Author Commented:
oh wait,

here i think is where the problem is:

http://www.mysite.com
https://mysite.com

when I goto http://mysite.com -> it switches between http & https just fine its the mix of the www and the no wwww.


How can I get around this without it treating it as seperate domains?


brian
0
TomeeboyCommented:
I think you need to somehow transfer your session variables over when crossing between HTTP and HTTPS.  You could try to store them in $_COOKIE and then reload them after the crossover.  Just don't try to pass the session ID in the URL, as that's pretty insecure.
0
TomeeboyCommented:
Ah, I see your problem... and this is with session cookies only and not cookies you are setting yourself, right?  Pretty sure you need to change the session cookie domain in your config.. there are a couple easy options:

In PHP.ini:

session.cookie_domain = ".yourdomain.com"

Or you can set it in your scripts using ini_set:

ini_set ( 'session.cookie_domain', '.yourdomain.com' );
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

BrianGEFF719Author Commented:
Here is the problem, typically people will navigate to http://www.mysite.com, i need the session cookies to be started once they attempt to login, however, every http page checks for the session cookies and calls a session_start()...this is a weird situation. Btw, its a shared hosting server so I have no access to php.ini

Brian
0
DenisvtCommented:
Do you NEED to go to http://mysite.com ? Or is this just your domain or default server config that allow it and would you rather use  www.mysite.com ?
(Note that if your SSL certificate was generated for www.mysite.com it will most likely NOT be accepted right away for http://mysite.com and will throw an alert that may be scary to some users).
It may be useful for you to not let anybody enter your site without www., thanks to an htaccess file :

RewriteEngine on
RewriteCond %{HTTP_HOST} !^www.mysite.com$
RewriteRule ^(.*)   http://www.mysite.com/$1  [QSA,L,R=301]


I hope this helps.
0
BrianGEFF719Author Commented:
i would prefer they not use www.

http://mysite.com -> https://mysite.com (WORKS)
http://www.mysite.com -> https://mysite.com (DOES NOT WORK)

Because the cerificate is https;//mysite.com, it has to do this switch. Does it cause a problem to prevent people from using www.mysite.com?


Brian
0
DenisvtCommented:
If your certificate was setup for https://mysite.com you will get a warning for any other URL.
If you want to get rid if the WWW you can simply update the rewrite rule :

RewriteCond %{HTTP_HOST} !^www.mysite.com$
RewriteRule ^(.*)   http://mysite.com/$1  [QSA,L,R=301]
0
TomeeboyCommented:
Well, it's a habit of most people to type in www. before a domain when visiting a web site (heck, some people want to put a www. in front of everything!).  You could try this to "force" people to use your domain without the www.

if (substr($_SERVER['HTTP_HOST'], 0, 4) == "www.") {
    $url = "http://" . substr($_SERVER['HTTP_HOST'], -4,  0) . $_SERVER['PHP_SELF'];
        if (!empty($_SERVER['QUERY_STRING'])) {
            $url .= "?" . $_SERVER['QUERY_STRING'];
        }
    header("Location: " . $url);
}

Put that at the top of your code and it will automatically and instantly redirect visitors that try to access your pages with "www." in the url.
0
DenisvtCommented:
A $_SERVER['HTTP_HOST'] rule can work fine too that's right, but a global Mod_rewrite rule only has to be setup once site-wide, and will let people type whichever address they want, it will work for both but R(edirect) them to the "www-less" URL.
0
BrianGEFF719Author Commented:
Will rewrite work in sub directories? or do I need to add it to each .htaccess file in each directory?


Brian
0
DenisvtCommented:
If you place that instruction in the base directory it will apply to all files on your domain whether in the root or in subdirs - you could also insert it directly in the Apache config so that it also applies to your whole domain.
0
TheMaximumWeaselCommented:
just have php redirect to https before setting cookie's then make it so all cookies are https.

Max
0
BrianGEFF719Author Commented:
>>just have php redirect to https before setting cookie's then make it so all cookies are https.

here is the problem, the page that redirects to https already starts a session to check if the user is logged in.


Brian
0
TheMaximumWeaselCommented:
then in the url using get pass the session ID that way the https:// pages can use the same session.

Max
0
BrianGEFF719Author Commented:
how do you pass the session id?
0
BrianGEFF719Author Commented:
oh wait, PHP is already doing that for me, it is adding PHPSESSID to my form anyway. And clearly that does not fix the problem.


Brian
0
TheMaximumWeaselCommented:
post me what the form code looks like in the source so I can see the sessid.

Max
0
TheMaximumWeaselCommented:
and to restore that session id try this.

session_name() = $_GET['PHPSESSID'];

Max
0
TomeeboyCommented:
I'm not so sure it's a great idea to pass the session ID in the URL...

Brian, did you try using the following?

ini_set ( 'session.cookie_domain', '.yourdomain.com' );

You may not have direct access to php.ini, but I'm not so sure that would stop this function from working.  It changes the setting for the duration of the script then changes it back at the end... it's not a permanent modifcation to  php.ini.  I've heard of it being used on shared servers before, although I don't know your particular set up.  You should at least try it though, before you even think of passing session IDs in the URL (which is a potential security risk).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TomeeboyCommented:
That line should go at the at the top of your scripts by the way.
0
BrianGEFF719Author Commented:
will:

ini_set ( 'session.cookie_domain', '.yourdomain.com' );



will this work accross two subdomains because thats basically the situation I am in, if that will work with both www.mysite.com and mysite.com, then that is an acceptable solution as it would only require an addition of 1 line of code to a header php script.


Thanks.

Brian
0
TomeeboyCommented:
Yes, that is why we leave the "www" off the front of the cookie_domain and just have ".yourdomain".  This allows session cookies to work across sub-domains.
0
BrianGEFF719Author Commented:
I will give it a try, i'm pretty busy this week, I will try to go over all this stuff by the end of the week.

Brian
0
BrianGEFF719Author Commented:
Tomeeboy: Your solution worked perfect, I added it to one file and it fixed the problem.

Thanks.

Brian
0
TomeeboyCommented:
That's great!  Glad it's working for you ;)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.