SSL & Session Issues
I'm not sure if this should be in the PHP section or not, but I'm not sure if the issue is PHP-related, .htaccess-related, or even something else.
When doing final testing on my new website, I was surprised to come across a problem with my membership registration system. It's built with PHP, and is pretty conventional - log in info is submitted via POST, PHP authenticates it with the help of MySQL, and PHP sets session variables which are used to check if the user is logged in on certain pages. The PHP scripts that are used to POST to and set the session information are required to use SSL.
In my tests using Safari, everything worked fine. However, in IE, I log in, and it seems like everything is fine, but my session doesn't work. My credentials are POST-ed correctly because PHP doesn't output any errors, but it's like the session doesn't realize I'm logged in because when I try and access protected pages, I'm sent back to the log in page.
Is using SSL and setting the regenerated session cookie screwing things up? I can't figure out the problem!
Any help would be greatly appreciated.
My best educated guess is that you're changing subdomains after authentication. So, perhaps your login form is posting to www.yoursite.com, whereas all of your links point to yoursite.com (note the missing www). Safari may be assuming (or somehow deducing) that the cookies it has are associated with both domains, whereas IE may take a slightly more anal (and secure) approach and be more restrictive.
If this happens to be the problem, there are two solutions. You could "correct" your links, so they all point to the same domain/subdomain. Or, you could try modifying the parameters of your session cookie--setting the domain to .yoursite.com instead of yoursite.com or www.yoursite.com.
If this isn't your problem, it's possible (though unlikely) that PHP is getting excited and sending the secure flag in the cookie header. See http://us2.php.net/setcookie for details on PHP's cookie setting options.
If you're just using the PHP's built-in session functions, you may need to alter the cookie parameters via session_set_cookie_params().
Does that help?
Thanks so much! I think it was a combination of the subdomain (www vs no www) and my PHP function that I use to check if the user is logged in. I forgot that I had the function set to only allow my admin account to view the pages - I had been trying to log in with another account.
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)