?
Solved

have to relogin to site when switching from http to HTTPS

Posted on 2011-09-02
8
Medium Priority
?
359 Views
Last Modified: 2012-05-12
I have a site that uses https://secure.some_domain_name.com i login from http://some_domain_name.com
both are on the same webspace(server) and the pages are in the same folder

when i loginto the site(the page is not ssl) i login fine, i go to look at the personal information page and i have it call up the page via https://secure.some_domain_name.com/account_info.php i then get redirected to the login screen and have to relogin. how do i fix this?

am i loosing sessions somehow in that the browser is thinking im on another domain?
do i have to make the login page SSL?
what do i have to do so we dont have to relogin? with the http to https switch?

im using:
PHP
Apache
a UNIX flavor server

thank you in advance for any code or help you may provide, and thank you for your time in this matter.
Johnny
0
Comment
Question by:Johnny
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 36473662
I expect that the session cookie is not set so that it can be shared between SSL and non-SSL pages.  I know that it is not set so you can share cookies across subdomains, unless you deliberately set it that way.  

See the code snippet for an example of how I have done this.  Another idea might be to put ALL of the scripts that demand authentication behind HTTPS.

HTH, ~Ray
<?php // RAY_session_cookie_SSL.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN HTTP AND HTTPS


// MAKE A DOMAIN NAME THAT OMITS WWW OR OTHER SUBDOMAINS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
$y = count($x);

// POSSIBLY 'localhost'
if ($y == 1)
{
    $host = $x[0];
}

// SOMETHING LIKE 'www2.atf70.whitehouse.gov'
else
{
    // USE A DOT PLUS THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN NAME
    $host
    = '.'
    . $x[$y-2]
    . '.'
    . $x[$y-1]
    ;
}

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS AND FOR BOTH HTTP AND HTTPS
$sess_name = session_name();
if (session_start())
{
    // MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}

// PROVE THAT THE COOKIE WORKS BOTH WAYS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;

// PUT UP TWO LINKS WITH DIFFERENT PROTOCOLS
$gost = ltrim($host,'.');
$ssl_link = 'https://' . $gost . '/RAY_dump_session.php'; // THIS IS A var_dump() SCRIPT
$www_link = 'http://'  . $gost . '/RAY_dump_session.php';

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$ssl_link\">$ssl_link</a>" . PHP_EOL;


// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo PHP_EOL;
echo "SESSION ";
var_dump($_SESSION);

// END OF PHP - PUT UP THE HTML FORM
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
 
LVL 10

Expert Comment

by:webwyzsystems
ID: 36474029
So if I am reading correctly, both your secure content and public content are in the same directory?

This seems a little different than standard design patterns. If the system simply needs to keep content private and secure for a select number of users, I think an htaccess approach needs to be considered.

htaccess is simple to do, very secure, and there is a plethora of resources out there to draw upon.
You just need an https link to the location of your folder protected by htaccess. Once the user follows the link, everything else is taken care of by the browser and server.

Most serving platforms provide htaccess tools right in their control panel, and several scripts and such to customize its use on your site.
0
 

Author Comment

by:Johnny
ID: 36474100
two things i noticed

1: when i made the example live you gave ray (thanks btw) i didnt place http://secure.XXXX it was https://XXXX so it worked with the ssl i have. so i changed all the urls to not use the secure url text.

2: i made login.php always pointed from another page to be https://XXXXX.com/login.php

this made it so i no longer have to double login and sessions are not lost or what ever the problem was with switching from http to https


thanks again Ray, it got me on the right track, also note it always amazes me the code you come up with this is one of those times.

0
7 Extremely Useful Linux Commands for Beginners

Just getting started with Linux? Here's a quick start guide that has 7 commands that we believe will come in handy.

 

Author Comment

by:Johnny
ID: 36474121
crude i accepted the wrong solution, i wanted rays, didnt notice a second person posted

GGGRRR now how to fix this

but non the less thanks webwyzsyst… for the comments
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 36474199
If you want to change the was the question was closed, you can use the Request Attention link found at the lower right hand corner of the original question and ask a moderator to re-open it.  In any case, I'm glad you've got things pointed in the right direction.  Best, ~Ray
0
 

Author Comment

by:Johnny
ID: 36474302
i did that thanks ray
Request Attention (pending)
0
 

Author Closing Comment

by:Johnny
ID: 36483661
thanks for all the help
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question