Re: Sessions across http/https

Grunff wrote:

> I'm experiencing an interesting problem with carrying a php session over
> from http to https. Much googling later, I'm still stuck.
>
> The application is an online shop, where some user data is stored in the
> session. As the user proceeds to checkout, we switch over to https. This
> is all done on the same physical server, under the same domain (which
> has an SSL cert).
>
> The session ID is carried over fine - I can read the session ID from
> http and https and it is the same. However, when I try to access a
> session variable e.g. $_SESSION['s_userid'], I can only do it using
> whichever protocol was used to write the variable in the first place.
>
> Let me explain more. If I save some user info in session variables from
> pages accessed via http, then I try to read these variables from pages
> accessed via https, they are empty.
>
> I just want to make it clear that the problem is not that the session ID
> is not available to the https pages - it is, and it's the same session id.
>
> So, any idea what's going on here? It seems that there are two sessions
> being created with the same session ID, one for http and one for https.
> Is that what happens? if so, how do I get around it? How do I access the
> session data from my https pages?
>
> Any help much appreciated.

There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:

<input type="hidden" name="session_data" value="<?php echo
base64_encode(serialize($_SESSION)) ?>" />

Then when you receive the POST do something like:
<?php
if(isset($_POST['session_data']))
$_SESSION=unserialize(base64_decode($_POST['session_data']));
?>

Of course, you'd want to validate the data before doing this, but it
should give you an idea of what you may be able to accomplish.

--
Justin Koivisto, ZCE - justin@xxxxxxxxx
http://koivi.com
.

Relevant Pages

  • Re: Dropped session variables tied to SSL pages? Or Redirect?
    ... between HTTP and HTTPS for the same application path. ... > "Mark Schupp" wrote in message ... >> session cookie can only go to one application. ... >>> I also commented that some of the Session variables stayed intact. ...
    (microsoft.public.inetserver.asp.general)
  • Researcher demonstrates SSL attack
    ... Moxie Marlinspike, who spoke at the Black Hat security conference on Wednesday, explained how to subvert an SSL session by performing a man-in-the-middle attack. ... The anarchist researcher explained in a YouTube video that the attack uses a tool developed called SSLstrip, which exploits the interface between http and https sessions. ... Secure Sockets Layer, and its successor Transport Layer Security, are cryptographic protocols used to encrypt communications over TCP/IP networks. ...
    (alt.privacy)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: Sessions/Cookies between sites
    ... Session variables are still retained when switching from ... http to https, I never knew it was a bug, I hope Microsoft ... session variables and cookies will not be shared ...
    (microsoft.public.inetserver.asp.db)
  • Re: newbie question: $_SESSION
    ... > You need to call session_registerto tell the PHP session that this ... Douglas, ... Both of the following create a session variable "$foo", ... (linux, php 4.1.2 through 4.3.4) ...
    (comp.lang.php)
Loading