PHP

ID #264

My PHP session is lost whenever I go to a secure URL using the shared SSL certificate.

Applies to: Grid System

The reason the PHP session is lost is because PHP sessions are based on cookies and cookies are only valid at the domain where they were set.

When you are at http://www.yourdomain.com you are at the domain "yourdomain.com" and can set and retrieve a cookie to keep your PHP session alive between requests.

However, when you change to the shared SSL URL of https://secure.modwest.com/yourdomain.com/ you are at the domain "modwest.com" and do not have any access to any cookies set by "yourdomain.com". This is a security limitation of the cookie protocol, not of PHP or the hosting environment.

Because of this security limitation, the PHP session, which relies on cookies, is lost, and a new session is started. The new session will only be valid while your visitor is at the secure URL. When you give them a link back to http://www.yourdomain.com then their original session will come back to them and the one set at "secure.modwest.com" will be inaccessible to you.

The only reasonable solution to the problem of loosing the PHP session at the shared SSL URL is to get an SSL certificate for your own domain name if you need SSL and PHP sessions instead of using our shared SSL certificate. That way your secure URL will be at the same domain name as your insecure URL, which means your cookie will be accessible at both URLs which means your PHP sessions will survive the change from non-SSL to SSL pages.


Last update: 2010-09-27 15:25
Author: FAQ Admin
Revision: 1.2

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 3.5 (2 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ

Comment of Anonymous:
There is another alternative... One that I have used for a couple of years very successfully.

On the links that go to secure.modwest.com/yourdomain.com/xyz.php add something like ?PHPSESSID=the_session_id

Then in your scripts, if you are passed the session id, use it. This has some security risks involved, but nothing that doesn't already exists.

You could do some reasonable checks of the Session against the IP Address and browser information to be relatively sure you are dealing with the proper person/computer.

Just my 2 cents

john@bowlingball.com
http://www.bowlingball.com
Added at: 2005-08-25 14:19

Comment of Anonymous:
Sorry, I forgot to mention that in order to use it, simply:

if (isset($_REQUEST[PHPSESSID])) {
session_id($_REQUEST[PHPSESSID]);
}

BEWARE: A blank session id is VALID. So do not simply call session_id($_REQUEST[PHPSESSID]);
Added at: 2005-08-25 14:21

Comment of Anonymous:
You can also post and read in your SESSION variables across the SSL pages each time and update the SESSION when you return.
Added at: 2009-12-04 11:34