Solved

PHP $_SESSION  from  http:// to https://

Posted on 2014-03-11
18
324 Views
Last Modified: 2014-03-11
how can i convey/transfer a session variable that was begun in
an http://  page
and  access the value in an ordering page that is https://
0
Comment
Question by:willsherwood
  • 8
  • 6
  • 4
18 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 250 total points
ID: 39922013
Unless some part of the domain (including sub domain even if its just removing the www) is changing the session would persist between HTTP and HTTPS.
0
 

Author Comment

by:willsherwood
ID: 39922042
hmmm that's encouraging,  really appreciate that comment.
note that this does work in some browsers, but on a mac with chrome, for instance,
it does not convey the $_SESSION var value.
(with several browsers on a PC, it always DOES work -  i cannot get it to break )
so this would narrow it down to a browser/platform issue?
for the mac/chrome browser, page-to-page retains the value until we hit a https://
(ordering) page in the same site.

any thoughts for debugging further?   this subtlety is new territory for me
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922064
Do you have a link to the page?
Missing files can cause it (Chrome specific)
0
 
LVL 83

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 250 total points
ID: 39922118
The problem with the domain name that Gary mentions is that the SESSION cookie is set for a particular version of the domain name.  If you change from 'www.mysite.com' to 'mysite.com', then the domain name no longer matches the cookie that you set.  On my shopping cart pages, I force the domain name to the 'proper' name for my site so that the SESSION cookie works all the way thru the process.

However, I have not seen that problem with Mac on any browser.  We probably need a link to your real site to see what is happening.
0
 

Author Comment

by:willsherwood
ID: 39922173
in further debugging, there had been some observations that sidetracked us.
your point about www. vs.  no www.
seems to be the key  as opposed to https://

we'll be getting a new SSL cert for this site :)

thanks!
0
 

Author Closing Comment

by:willsherwood
ID: 39922176
thanks all!
0
 

Author Comment

by:willsherwood
ID: 39922185
p.s.   might you know if it's technically possible to register TWO (i.e., multiple)  SSL certs for one account?
the www. version
and the non www. version
for the same hosting account?
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39922193
You're welcome.  Make sure everything matches when you're done.  Below is the code I use to make sure the domain name, session cookie, and SSL certificate all match.  My sites require the 'www'.  I put this on the very first page involved in the shopping cart.
$protocol = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";

if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
    header('Location: '.$protocol.'www.'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
    exit;
}

Open in new window

0
 
LVL 58

Expert Comment

by:Gary
ID: 39922199
When you get an SSL cert you actually (with most issuers) get a non www version, www is a sub domain that you set. You could have any sub domain but you can only have one (not counting wildcard certs)
When buying one make sure you are covered for both versions in the cert.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:willsherwood
ID: 39922213
my host guy always asks specifically which way we want the domain name
(with or without www)
some of our clients want it with, some without for the SSL pages.

i'm confused by what my host guy differentiates and whay Gary just offered:
When you get an SSL cert you actually get a non www version

that would mean we don't need a new/additional cert, but just adjust a zone table entry?
we do have  zone records for both   with and without www
but i am not familiar how that plays with https://

please help me sort out---   thanks in advance!
0
 

Author Comment

by:willsherwood
ID: 39922219
in looking at Dave's snippet (thank you!)   is that applicable for our
ordering page to "convert" it from no www to   having www.
and that would still maintain the SSL?
if so adding that would be easy, but isn't that writing the header twice?
in conjunction with:     session_start();
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922234
I had just edited my comment to say most issuers, some wont.

GoDaddy and StartSSL for instance cover both so you could use either mysite.com or www.mysite.com
0
 

Author Comment

by:willsherwood
ID: 39922236
(we are bound by what this guy offers)

is it possible tho to have TWO certs for ONE account?
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922252
You cannot have two SSL certs on one IP (until XP has been abolished)
Any further questions should be asked in new question as this delving away from the original question.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39922262
My code snippet is one of the few things you want Before session_start(); .  The whole purpose of it is to make sure that the session cookie is set on the correct domain name so it will work thru the rest of the process.
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39922264
(until XP has been abolished)
That's still going to be another 5 years for many companies.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922269
Making SNI pretty useless!
0
 

Author Comment

by:willsherwood
ID: 39922286
thanks for the follow-ups!
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to count occurrences of each item in an array.

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now