www.webdeveloper.com
Results 1 to 3 of 3

Thread: SSL & Session Issues

  1. #1
    Join Date
    Oct 2008
    Posts
    6

    SSL & Session Issues

    I'm not sure if this should be in the PHP section or not, but I'm not sure if the issue is PHP-related, .htaccess-related, or even something else.

    When doing final testing on my new website, I was surprised to come across a problem with my membership registration system. It's built with PHP, and is pretty conventional - log in info is submitted via POST, PHP authenticates it with the help of MySQL, and PHP sets session variables which are used to check if the user is logged in on certain pages. The PHP scripts that are used to POST to and set the session information are required to use SSL.

    In my tests using Safari, everything worked fine. However, in IE, I log in, and it seems like everything is fine, but my session doesn't work. My credentials are POST-ed correctly because PHP doesn't output any errors, but it's like the session doesn't realize I'm logged in because when I try and access protected pages, I'm sent back to the log in page.

    Is using SSL and setting the regenerated session cookie screwing things up? I can't figure out the problem!

    Any help would be greatly appreciated.

    Thanks!

  2. #2
    Join Date
    Jan 2007
    Location
    Wisconsin
    Posts
    2,120
    My best educated guess is that you're changing subdomains after authentication. So, perhaps your login form is posting to www.yoursite.com, whereas all of your links point to yoursite.com (note the missing www). Safari may be assuming (or somehow deducing) that the cookies it has are associated with both domains, whereas IE may take a slightly more anal (and secure) approach and be more restrictive.

    If this happens to be the problem, there are two solutions. You could "correct" your links, so they all point to the same domain/subdomain. Or, you could try modifying the parameters of your session cookie--setting the domain to .yoursite.com instead of yoursite.com or www.yoursite.com.

    If this isn't your problem, it's possible (though unlikely) that PHP is getting excited and sending the secure flag in the cookie header. See http://us2.php.net/setcookie for details on PHP's cookie setting options.

    If you're just using the PHP's built-in session functions, you may need to alter the cookie parameters via session_set_cookie_params().

    Does that help?
    Jon Wire

    thepointless.com | rounded corner generator

    I agree with Apple. Flash is just terrible.

    Use CODE tags!

  3. #3
    Join Date
    Oct 2008
    Posts
    6
    Thanks so much! I think it was a combination of the subdomain (www vs no www) and my PHP function that I use to check if the user is logged in. I forgot that I had the function set to only allow my admin account to view the pages - I had been trying to log in with another account.

    Thanks again.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles