Link to home
Start Free TrialLog in
Avatar of Gary
GaryFlag for Ireland

asked on

Session management HTTP->HTTPS

I'm passing the session id in the url when I move to an https page and this works fine for in page sessions as I set the session_id($_GET['sid']);
When I call another page with ajax the session is ignored and a new one started.
This is in FF, in IE it seems to work fine.
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

You can set your own cookie for the session.  I believe that you can set it so that the session cookie will be returned for both HTTP and HTTPS.  

But there may be a timeliness component here, too.  Check to make sure something like this is not happening to your scripts.  In a recent test, I tried setting a cookie in a script that was a long-running-job (over 40 seconds) and getting the cookie in another script to check the progress of the long-running-job.  It didn't work in either FF or Chrome.  Neither of those returned the cookie until after the first script finished execution.  I did not test IE.

Just curious...  Why not put the whole operation behind HTTPS?  Why switch back and forth?
Avatar of Gary

ASKER

The reason I cannot use the same session is because the domain is slightly different.
But the question is why is FF screwing up the session when I manually set the ID, while IE works fine.
I may have to pass the session id in the ajax calls if no one knows...
do you remember this time :

    var xmlHttpReq = false;
    var self = this;
    // Mozilla/Safari
    if (window.XMLHttpRequest) {
        self.xmlHttpReq = new XMLHttpRequest();
    }
    // IE
    else if (window.ActiveXObject) {
        self.xmlHttpReq = new ActiveXObject("Microsoft.XMLHTTP");
    }

// M. Jackson
Avatar of Gary

ASKER

@leakim
Uhhh?

@Ray
It would be stupid running a shopping cart on https for the whole thing, just unnecessary
LOL

You said :
But the question is why is FF screwing up the session when I manually set the ID, while IE works fine.

IE and FF don't do ajax call the same way
Avatar of Gary

ASKER

But I'm manually changing the session id, ajax shouldn't have anything to do with it.
When I call another page with ajax the session is ignored
Avatar of Gary

ASKER

I don't see your point leakim
I set the session id at the server with php, why would a new session be started on the same protocol/domain
use fiddle and let me know if you see the session during the ajax call (on FF and on IE)

if it's possible provide a link to the page or build a simple one to reproduce
ASKER CERTIFIED SOLUTION
Avatar of Gary
Gary
Flag of Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
"It would be stupid running a shopping cart on https for the whole thing, just unnecessary"

Facebook and Google don't think so.  They're running Everything on HTTPS now.  What is your objection?
Avatar of Gary

ASKER

Only for logged in users.
My objection is why encrypt non sensitive information and add extra load to the server
It would be stupid running a shopping cart on https for the whole thing, just unnecessary
I asked the server and she said she didn't mind encryption, in fact she kind of enjoyed it!

Anyway, glad you found a solution, but it doesn't make me entirely comfortable that one browser would work and another would not!
Avatar of Gary

ASKER

Solved myself