Sessions across http/https

I'm experiencing an interesting problem with carrying a php session over from http to https. Much googling later, I'm still stuck.

The application is an online shop, where some user data is stored in the session. As the user proceeds to checkout, we switch over to https. This is all done on the same physical server, under the same domain (which has an SSL cert).

The session ID is carried over fine - I can read the session ID from http and https and it is the same. However, when I try to access a session variable e.g. $_SESSION['s_userid'], I can only do it using whichever protocol was used to write the variable in the first place.

Let me explain more. If I save some user info in session variables from pages accessed via http, then I try to read these variables from pages accessed via https, they are empty.

I just want to make it clear that the problem is not that the session ID is not available to the https pages - it is, and it's the same session id.

So, any idea what's going on here? It seems that there are two sessions being created with the same session ID, one for http and one for https. Is that what happens? if so, how do I get around it? How do I access the session data from my https pages?

Any help much appreciated.


--
Grunff
.

Relevant Pages

  • Re: Dropped session variables tied to SSL pages? Or Redirect?
    ... between HTTP and HTTPS for the same application path. ... > "Mark Schupp" wrote in message ... >> session cookie can only go to one application. ... >>> I also commented that some of the Session variables stayed intact. ...
    (microsoft.public.inetserver.asp.general)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: Sessions across http/https
    ... > I'm experiencing an interesting problem with carrying a php session over ... As the user proceeds to checkout, we switch over to https. ... session information in a database. ...
    (comp.lang.php)
Loading