?
Solved

PHP $_SESSION  from  http:// to https://

Posted on 2014-03-11
18
Medium Priority
?
331 Views
Last Modified: 2014-03-11
how can i convey/transfer a session variable that was begun in
an http://  page
and  access the value in an ordering page that is https://
0
Comment
Question by:willsherwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
  • 4
18 Comments
 
LVL 58

Accepted Solution

by:
Gary earned 1000 total points
ID: 39922013
Unless some part of the domain (including sub domain even if its just removing the www) is changing the session would persist between HTTP and HTTPS.
0
 

Author Comment

by:willsherwood
ID: 39922042
hmmm that's encouraging,  really appreciate that comment.
note that this does work in some browsers, but on a mac with chrome, for instance,
it does not convey the $_SESSION var value.
(with several browsers on a PC, it always DOES work -  i cannot get it to break )
so this would narrow it down to a browser/platform issue?
for the mac/chrome browser, page-to-page retains the value until we hit a https://
(ordering) page in the same site.

any thoughts for debugging further?   this subtlety is new territory for me
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922064
Do you have a link to the page?
Missing files can cause it (Chrome specific)
0
Why Off-Site Backups Are The Only Way To Go

You are probably backing up your data—but how and where? Ransomware is on the rise and there are variants that specifically target backups. Read on to discover why off-site is the way to go.

 
LVL 84

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 1000 total points
ID: 39922118
The problem with the domain name that Gary mentions is that the SESSION cookie is set for a particular version of the domain name.  If you change from 'www.mysite.com' to 'mysite.com', then the domain name no longer matches the cookie that you set.  On my shopping cart pages, I force the domain name to the 'proper' name for my site so that the SESSION cookie works all the way thru the process.

However, I have not seen that problem with Mac on any browser.  We probably need a link to your real site to see what is happening.
0
 

Author Comment

by:willsherwood
ID: 39922173
in further debugging, there had been some observations that sidetracked us.
your point about www. vs.  no www.
seems to be the key  as opposed to https://

we'll be getting a new SSL cert for this site :)

thanks!
0
 

Author Closing Comment

by:willsherwood
ID: 39922176
thanks all!
0
 

Author Comment

by:willsherwood
ID: 39922185
p.s.   might you know if it's technically possible to register TWO (i.e., multiple)  SSL certs for one account?
the www. version
and the non www. version
for the same hosting account?
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39922193
You're welcome.  Make sure everything matches when you're done.  Below is the code I use to make sure the domain name, session cookie, and SSL certificate all match.  My sites require the 'www'.  I put this on the very first page involved in the shopping cart.
$protocol = (@$_SERVER["HTTPS"] == "on") ? "https://" : "http://";

if (substr($_SERVER['HTTP_HOST'], 0, 4) !== 'www.') {
    header('Location: '.$protocol.'www.'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
    exit;
}

Open in new window

0
 
LVL 58

Expert Comment

by:Gary
ID: 39922199
When you get an SSL cert you actually (with most issuers) get a non www version, www is a sub domain that you set. You could have any sub domain but you can only have one (not counting wildcard certs)
When buying one make sure you are covered for both versions in the cert.
0
 

Author Comment

by:willsherwood
ID: 39922213
my host guy always asks specifically which way we want the domain name
(with or without www)
some of our clients want it with, some without for the SSL pages.

i'm confused by what my host guy differentiates and whay Gary just offered:
When you get an SSL cert you actually get a non www version

that would mean we don't need a new/additional cert, but just adjust a zone table entry?
we do have  zone records for both   with and without www
but i am not familiar how that plays with https://

please help me sort out---   thanks in advance!
0
 

Author Comment

by:willsherwood
ID: 39922219
in looking at Dave's snippet (thank you!)   is that applicable for our
ordering page to "convert" it from no www to   having www.
and that would still maintain the SSL?
if so adding that would be easy, but isn't that writing the header twice?
in conjunction with:     session_start();
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922234
I had just edited my comment to say most issuers, some wont.

GoDaddy and StartSSL for instance cover both so you could use either mysite.com or www.mysite.com
0
 

Author Comment

by:willsherwood
ID: 39922236
(we are bound by what this guy offers)

is it possible tho to have TWO certs for ONE account?
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922252
You cannot have two SSL certs on one IP (until XP has been abolished)
Any further questions should be asked in new question as this delving away from the original question.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39922262
My code snippet is one of the few things you want Before session_start(); .  The whole purpose of it is to make sure that the session cookie is set on the correct domain name so it will work thru the rest of the process.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39922264
(until XP has been abolished)
That's still going to be another 5 years for many companies.
0
 
LVL 58

Expert Comment

by:Gary
ID: 39922269
Making SNI pretty useless!
0
 

Author Comment

by:willsherwood
ID: 39922286
thanks for the follow-ups!
0

Featured Post

Video: Liquid Web Managed WordPress Comparisons

If you run run a WordPress, you understand the potential headaches you may face when updating your plugins and themes. Do you choose to update on the fly and risk taking down your site; or do you set up a staging, keep it in sync with your live site and use that to test updates?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question