Solved

have to relogin to site when switching from http to HTTPS

Posted on 2011-09-02
8
356 Views
Last Modified: 2012-05-12
I have a site that uses https://secure.some_domain_name.com i login from http://some_domain_name.com
both are on the same webspace(server) and the pages are in the same folder

when i loginto the site(the page is not ssl) i login fine, i go to look at the personal information page and i have it call up the page via https://secure.some_domain_name.com/account_info.php i then get redirected to the login screen and have to relogin. how do i fix this?

am i loosing sessions somehow in that the browser is thinking im on another domain?
do i have to make the login page SSL?
what do i have to do so we dont have to relogin? with the http to https switch?

im using:
PHP
Apache
a UNIX flavor server

thank you in advance for any code or help you may provide, and thank you for your time in this matter.
Johnny
0
Comment
Question by:Johnny
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
8 Comments
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 36473662
I expect that the session cookie is not set so that it can be shared between SSL and non-SSL pages.  I know that it is not set so you can share cookies across subdomains, unless you deliberately set it that way.  

See the code snippet for an example of how I have done this.  Another idea might be to put ALL of the scripts that demand authentication behind HTTPS.

HTH, ~Ray
<?php // RAY_session_cookie_SSL.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN HTTP AND HTTPS


// MAKE A DOMAIN NAME THAT OMITS WWW OR OTHER SUBDOMAINS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
$y = count($x);

// POSSIBLY 'localhost'
if ($y == 1)
{
    $host = $x[0];
}

// SOMETHING LIKE 'www2.atf70.whitehouse.gov'
else
{
    // USE A DOT PLUS THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN NAME
    $host
    = '.'
    . $x[$y-2]
    . '.'
    . $x[$y-1]
    ;
}

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS AND FOR BOTH HTTP AND HTTPS
$sess_name = session_name();
if (session_start())
{
    // MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}

// PROVE THAT THE COOKIE WORKS BOTH WAYS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;

// PUT UP TWO LINKS WITH DIFFERENT PROTOCOLS
$gost = ltrim($host,'.');
$ssl_link = 'https://' . $gost . '/RAY_dump_session.php'; // THIS IS A var_dump() SCRIPT
$www_link = 'http://'  . $gost . '/RAY_dump_session.php';

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$ssl_link\">$ssl_link</a>" . PHP_EOL;


// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo PHP_EOL;
echo "SESSION ";
var_dump($_SESSION);

// END OF PHP - PUT UP THE HTML FORM
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
 
LVL 10

Expert Comment

by:webwyzsystems
ID: 36474029
So if I am reading correctly, both your secure content and public content are in the same directory?

This seems a little different than standard design patterns. If the system simply needs to keep content private and secure for a select number of users, I think an htaccess approach needs to be considered.

htaccess is simple to do, very secure, and there is a plethora of resources out there to draw upon.
You just need an https link to the location of your folder protected by htaccess. Once the user follows the link, everything else is taken care of by the browser and server.

Most serving platforms provide htaccess tools right in their control panel, and several scripts and such to customize its use on your site.
0
 

Author Comment

by:Johnny
ID: 36474100
two things i noticed

1: when i made the example live you gave ray (thanks btw) i didnt place http://secure.XXXX it was https://XXXX so it worked with the ssl i have. so i changed all the urls to not use the secure url text.

2: i made login.php always pointed from another page to be https://XXXXX.com/login.php

this made it so i no longer have to double login and sessions are not lost or what ever the problem was with switching from http to https


thanks again Ray, it got me on the right track, also note it always amazes me the code you come up with this is one of those times.

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Johnny
ID: 36474121
crude i accepted the wrong solution, i wanted rays, didnt notice a second person posted

GGGRRR now how to fix this

but non the less thanks webwyzsyst… for the comments
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 36474199
If you want to change the was the question was closed, you can use the Request Attention link found at the lower right hand corner of the original question and ask a moderator to re-open it.  In any case, I'm glad you've got things pointed in the right direction.  Best, ~Ray
0
 

Author Comment

by:Johnny
ID: 36474302
i did that thanks ray
Request Attention (pending)
0
 

Author Closing Comment

by:Johnny
ID: 36483661
thanks for all the help
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question