Solved

PHP $_SESSION  from  http:// to https://

Posted on 2014-03-11
18
323 Views
Last Modified: 2014-03-11
how can i convey/transfer a session variable that was begun in
an http://  page
and  access the value in an ordering page that is https://
0
Comment
Question by:willsherwood
  • 8
  • 6
  • 4
18 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39922013
Unless some part of the domain (including sub domain even if its just removing the www) is changing the session would persist between HTTP and HTTPS.
0
 

Author Comment

by:willsherwood
ID: 39922042
hmmm that's encouraging,  really appreciate that comment.
note that this does work in some browsers, but on a mac with chrome, for instance,
it does not convey the $_SESSION var value.
(with several browsers on a PC, it always DOES work -  i cannot get it to break )
so this would narrow it down to a browser/platform issue?
for the mac/chrome browser, page-to-page retains the value until we hit a https://
(ordering) page in the same site.

any thoughts for debugging further?   this subtlety is new territory for me
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922064
Do you have a link to the page?
Missing files can cause it (Chrome specific)
0
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 39922118
The problem with the domain name that Gary mentions is that the SESSION cookie is set for a particular version of the domain name.  If you change from 'www.mysite.com' to 'mysite.com', then the domain name no longer matches the cookie that you set.  On my shopping cart pages, I force the domain name to the 'proper' name for my site so that the SESSION cookie works all the way thru the process.

However, I have not seen that problem with Mac on any browser.  We probably need a link to your real site to see what is happening.
0
 

Author Comment

by:willsherwood
ID: 39922173
in further debugging, there had been some observations that sidetracked us.
your point about www. vs.  no www.
seems to be the key  as opposed to https://

we'll be getting a new SSL cert for this site :)

thanks!
0
 

Author Closing Comment

by:willsherwood
ID: 39922176
thanks all!
0
 

Author Comment

by:willsherwood
ID: 39922185
p.s.   might you know if it's technically possible to register TWO (i.e., multiple)  SSL certs for one account?
the www. version
and the non www. version
for the same hosting account?
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39922193
You're welcome.  Make sure everything matches when you're done.  Below is the code I use to make sure the domain name, session cookie, and SSL certificate all match.  My sites require the 'www'.  I put this on the very first page involved in the shopping cart.
$protocol = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";

if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
    header('Location: '.$protocol.'www.'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
    exit;
}

Open in new window

0
 
LVL 58

Expert Comment

by:Gary
ID: 39922199
When you get an SSL cert you actually (with most issuers) get a non www version, www is a sub domain that you set. You could have any sub domain but you can only have one (not counting wildcard certs)
When buying one make sure you are covered for both versions in the cert.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:willsherwood
ID: 39922213
my host guy always asks specifically which way we want the domain name
(with or without www)
some of our clients want it with, some without for the SSL pages.

i'm confused by what my host guy differentiates and whay Gary just offered:
When you get an SSL cert you actually get a non www version

that would mean we don't need a new/additional cert, but just adjust a zone table entry?
we do have  zone records for both   with and without www
but i am not familiar how that plays with https://

please help me sort out---   thanks in advance!
0
 

Author Comment

by:willsherwood
ID: 39922219
in looking at Dave's snippet (thank you!)   is that applicable for our
ordering page to "convert" it from no www to   having www.
and that would still maintain the SSL?
if so adding that would be easy, but isn't that writing the header twice?
in conjunction with:     session_start();
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922234
I had just edited my comment to say most issuers, some wont.

GoDaddy and StartSSL for instance cover both so you could use either mysite.com or www.mysite.com
0
 

Author Comment

by:willsherwood
ID: 39922236
(we are bound by what this guy offers)

is it possible tho to have TWO certs for ONE account?
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922252
You cannot have two SSL certs on one IP (until XP has been abolished)
Any further questions should be asked in new question as this delving away from the original question.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39922262
My code snippet is one of the few things you want Before session_start(); .  The whole purpose of it is to make sure that the session cookie is set on the correct domain name so it will work thru the rest of the process.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39922264
(until XP has been abolished)
That's still going to be another 5 years for many companies.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922269
Making SNI pretty useless!
0
 

Author Comment

by:willsherwood
ID: 39922286
thanks for the follow-ups!
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now