• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 372
  • Last Modified:

have to relogin to site when switching from http to HTTPS

I have a site that uses https://secure.some_domain_name.com i login from http://some_domain_name.com
both are on the same webspace(server) and the pages are in the same folder

when i loginto the site(the page is not ssl) i login fine, i go to look at the personal information page and i have it call up the page via https://secure.some_domain_name.com/account_info.php i then get redirected to the login screen and have to relogin. how do i fix this?

am i loosing sessions somehow in that the browser is thinking im on another domain?
do i have to make the login page SSL?
what do i have to do so we dont have to relogin? with the http to https switch?

im using:
PHP
Apache
a UNIX flavor server

thank you in advance for any code or help you may provide, and thank you for your time in this matter.
Johnny
0
Johnny
Asked:
Johnny
  • 4
  • 2
1 Solution
 
Ray PaseurCommented:
I expect that the session cookie is not set so that it can be shared between SSL and non-SSL pages.  I know that it is not set so you can share cookies across subdomains, unless you deliberately set it that way.  

See the code snippet for an example of how I have done this.  Another idea might be to put ALL of the scripts that demand authentication behind HTTPS.

HTH, ~Ray
<?php // RAY_session_cookie_SSL.php
error_reporting(E_ALL);


// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN HTTP AND HTTPS


// MAKE A DOMAIN NAME THAT OMITS WWW OR OTHER SUBDOMAINS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
$y = count($x);

// POSSIBLY 'localhost'
if ($y == 1)
{
    $host = $x[0];
}

// SOMETHING LIKE 'www2.atf70.whitehouse.gov'
else
{
    // USE A DOT PLUS THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN NAME
    $host
    = '.'
    . $x[$y-2]
    . '.'
    . $x[$y-1]
    ;
}

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS AND FOR BOTH HTTP AND HTTPS
$sess_name = session_name();
if (session_start())
{
    // MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}

// PROVE THAT THE COOKIE WORKS BOTH WAYS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;

// PUT UP TWO LINKS WITH DIFFERENT PROTOCOLS
$gost = ltrim($host,'.');
$ssl_link = 'https://' . $gost . '/RAY_dump_session.php'; // THIS IS A var_dump() SCRIPT
$www_link = 'http://'  . $gost . '/RAY_dump_session.php';

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$ssl_link\">$ssl_link</a>" . PHP_EOL;


// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo PHP_EOL;
echo "SESSION ";
var_dump($_SESSION);

// END OF PHP - PUT UP THE HTML FORM
?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0
 
webwyzsystemsCommented:
So if I am reading correctly, both your secure content and public content are in the same directory?

This seems a little different than standard design patterns. If the system simply needs to keep content private and secure for a select number of users, I think an htaccess approach needs to be considered.

htaccess is simple to do, very secure, and there is a plethora of resources out there to draw upon.
You just need an https link to the location of your folder protected by htaccess. Once the user follows the link, everything else is taken care of by the browser and server.

Most serving platforms provide htaccess tools right in their control panel, and several scripts and such to customize its use on your site.
0
 
JohnnyAuthor Commented:
two things i noticed

1: when i made the example live you gave ray (thanks btw) i didnt place http://secure.XXXX it was https://XXXX so it worked with the ssl i have. so i changed all the urls to not use the secure url text.

2: i made login.php always pointed from another page to be https://XXXXX.com/login.php

this made it so i no longer have to double login and sessions are not lost or what ever the problem was with switching from http to https


thanks again Ray, it got me on the right track, also note it always amazes me the code you come up with this is one of those times.

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
JohnnyAuthor Commented:
crude i accepted the wrong solution, i wanted rays, didnt notice a second person posted

GGGRRR now how to fix this

but non the less thanks webwyzsyst… for the comments
0
 
Ray PaseurCommented:
If you want to change the was the question was closed, you can use the Request Attention link found at the lower right hand corner of the original question and ask a moderator to re-open it.  In any case, I'm glad you've got things pointed in the right direction.  Best, ~Ray
0
 
JohnnyAuthor Commented:
i did that thanks ray
Request Attention (pending)
0
 
JohnnyAuthor Commented:
thanks for all the help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now