Solved

have to relogin to site when switching from http to HTTPS

Posted on 2011-09-02
8
352 Views
Last Modified: 2012-05-12
I have a site that uses https://secure.some_domain_name.com i login from http://some_domain_name.com
both are on the same webspace(server) and the pages are in the same folder

when i loginto the site(the page is not ssl) i login fine, i go to look at the personal information page and i have it call up the page via https://secure.some_domain_name.com/account_info.php i then get redirected to the login screen and have to relogin. how do i fix this?

am i loosing sessions somehow in that the browser is thinking im on another domain?
do i have to make the login page SSL?
what do i have to do so we dont have to relogin? with the http to https switch?

im using:
PHP
Apache
a UNIX flavor server

thank you in advance for any code or help you may provide, and thank you for your time in this matter.
Johnny
0
Comment
Question by:Johnny
  • 4
  • 2
8 Comments
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 36473662
I expect that the session cookie is not set so that it can be shared between SSL and non-SSL pages.  I know that it is not set so you can share cookies across subdomains, unless you deliberately set it that way.  

See the code snippet for an example of how I have done this.  Another idea might be to put ALL of the scripts that demand authentication behind HTTPS.

HTH, ~Ray
<?php // RAY_session_cookie_SSL.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN HTTP AND HTTPS


// MAKE A DOMAIN NAME THAT OMITS WWW OR OTHER SUBDOMAINS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
$y = count($x);

// POSSIBLY 'localhost'
if ($y == 1)
{
    $host = $x[0];
}

// SOMETHING LIKE 'www2.atf70.whitehouse.gov'
else
{
    // USE A DOT PLUS THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN NAME
    $host
    = '.'
    . $x[$y-2]
    . '.'
    . $x[$y-1]
    ;
}

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS AND FOR BOTH HTTP AND HTTPS
$sess_name = session_name();
if (session_start())
{
    // MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}

// PROVE THAT THE COOKIE WORKS BOTH WAYS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;

// PUT UP TWO LINKS WITH DIFFERENT PROTOCOLS
$gost = ltrim($host,'.');
$ssl_link = 'https://' . $gost . '/RAY_dump_session.php'; // THIS IS A var_dump() SCRIPT
$www_link = 'http://'  . $gost . '/RAY_dump_session.php';

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$ssl_link\">$ssl_link</a>" . PHP_EOL;


// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo PHP_EOL;
echo "SESSION ";
var_dump($_SESSION);

// END OF PHP - PUT UP THE HTML FORM
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
 
LVL 10

Expert Comment

by:webwyzsystems
ID: 36474029
So if I am reading correctly, both your secure content and public content are in the same directory?

This seems a little different than standard design patterns. If the system simply needs to keep content private and secure for a select number of users, I think an htaccess approach needs to be considered.

htaccess is simple to do, very secure, and there is a plethora of resources out there to draw upon.
You just need an https link to the location of your folder protected by htaccess. Once the user follows the link, everything else is taken care of by the browser and server.

Most serving platforms provide htaccess tools right in their control panel, and several scripts and such to customize its use on your site.
0
 

Author Comment

by:Johnny
ID: 36474100
two things i noticed

1: when i made the example live you gave ray (thanks btw) i didnt place http://secure.XXXX it was https://XXXX so it worked with the ssl i have. so i changed all the urls to not use the secure url text.

2: i made login.php always pointed from another page to be https://XXXXX.com/login.php

this made it so i no longer have to double login and sessions are not lost or what ever the problem was with switching from http to https


thanks again Ray, it got me on the right track, also note it always amazes me the code you come up with this is one of those times.

0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:Johnny
ID: 36474121
crude i accepted the wrong solution, i wanted rays, didnt notice a second person posted

GGGRRR now how to fix this

but non the less thanks webwyzsyst… for the comments
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 36474199
If you want to change the was the question was closed, you can use the Request Attention link found at the lower right hand corner of the original question and ask a moderator to re-open it.  In any case, I'm glad you've got things pointed in the right direction.  Best, ~Ray
0
 

Author Comment

by:Johnny
ID: 36474302
i did that thanks ray
Request Attention (pending)
0
 

Author Closing Comment

by:Johnny
ID: 36483661
thanks for all the help
0

Featured Post

Easy Project Management (No User Manual Required)

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Time difference 10 35
php image upload 3 27
session dropped in IE 10 20
SEO, SSL, and Canonical URL Tags 5 38
Generating table dynamically is the most common issue faced by php developers.... So it seems there is a need of an article that explains the basic concept of generating tables dynamically. It just requires a basic knowledge of html and little maths…
Developers of all skill levels should learn to use current best practices when developing websites. However many developers, new and old, fall into the trap of using deprecated features because this is what so many tutorials and books tell them to u…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now