www.webdeveloper.com
Results 1 to 5 of 5

Thread: maintaining sessions when switching between http and https

  1. #1
    Join Date
    Nov 2005
    Posts
    5

    maintaining sessions when switching between http and https

    This might be an apache issue, but I thought I'd post this in PHP first because we are using PHP to semi address the issue right now.

    The issue is that we've got an http and an https server and we need the user to be able to move back and forth between them over the course of a visit to our site. When a ourdomain.com user logs in and moves through the site there are some actions we want to have them do in a secure environment. For instance, when a user browses the public site while logged in they get an "edit" link on their profile. Clicking this link takes them to the pages for editing their profile on a secure server. To do that we need a certain amount of preserved state.

    The general way to share sessions between servers is to put the data in a database, rather than have php handle things itself. php has good support for this, and I've implemented a custom session storage system in our database (it's turned off at present, but it basically works). What we need to do is complete the setup so that both servers can connect the user to the same session data.

    The basic idea is that each server sets a cookie which contains the user's unique id. Then when log into one of the sites, that info is stored in the database, and when they go to the other site the server checks the session info for the user associated with the cookie it receives and sees if they're logged in or not, and if so grabs their current session info.

    Right now we don't link the sessions to the user, and we don't store any of our own cookies. There may also be an apache part of the equation to get this all going. I know little about apache.

    So, I guess I'm looking for some problem solving. I'm sure many other people have solved this issue. Maybe the solution I've just described isn't the best...?

    Lastly, but maybe most importantly... one out of the box solution we've pondered is just keeping the user in https when they're logged in and http when they're not. This would involve keeping copies of all site files in both http and https. Wondering if this is the way people solve this? Does this affect overhead in any way?

  2. #2
    Join Date
    Dec 2002
    Location
    Seattle, WA
    Posts
    1,843
    i think the problem is not a problem but a security precation for handling session, cookies, http, etc. the only thing i can think of is trying this
    PHP Code:
    <?php
    session_start
    ();
    setcookie(session_name(), session_id(), NULLNULLNULL0);
    setcookie(session_name(), session_id(), NULLNULLNULL1);
    ?>
    or
    PHP Code:
    <?php
    $secure 
    array_key_exists('HTTPS'$_SERVER);
    $cookie false;

    // existing session
    if(array_key_exists('PHPSESSID'$_COOKIE))
    {
        
    $cookie setcookie('PHPSESSID'$_COOKIE['PHPSESSID'], NULLNULLNULL, (int) !$secure);
    }
    session_start();

    // new session
    if(!$cookie)
    {
        
    setcookie(session_name(), session_id(), NULLNULLNULL, (int) !$secure);
    }
    ?>
    that should do the trick, IF the client has cookies enabled
    Last edited by ShrineDesigns; 12-06-2005 at 02:32 AM.

  3. #3
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    It is pretty simple hand over from http to https and maintain the session. Here's an example:
    PHP Code:
    <?php
    session_start
    ();
    if(@!
    $_SERVER['HTTPS']){ // Non - SSL session here
        
    $_SESSION['test'] = 'This was set in the non-SSL part of the session!';
        
    header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?PHPSESSID='.session_id());
        exit;
    }
    echo 
    $_SESSION['test']; // Now we are in a secure session
    ?>

  4. #4
    Join Date
    Nov 2005
    Posts
    5
    Quote Originally Posted by bokeh
    It is pretty simple hand over from http to https and maintain the session. Here's an example:
    PHP Code:
    <?php
    session_start
    ();
    if(@!
    $_SERVER['HTTPS']){ // Non - SSL session here
        
    $_SESSION['test'] = 'This was set in the non-SSL part of the session!';
        
    header('Location: https://'.$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'].'?PHPSESSID='.session_id());
        exit;
    }
    echo 
    $_SESSION['test']; // Now we are in a secure session
    ?>
    Thanks for the help. I'm not as up on my apache config as my php/mysql. It's my understanding that serving both http & https on the same machine always means separate apache instances. Almost like different physical boxes. Is that correct?

    The above looks to me like it's written to work with custom session handling in the database. In that case, just appending the session id to the URL allows php to pass it to the custom session handers which in turn grab the data from the database.

    Is that correct? If so, then it does look easy, but it also looks like we're passing the session id around quite publicly.

  5. #5
    Join Date
    Jan 2005
    Location
    Alicante (Spain)
    Posts
    7,742
    Quote Originally Posted by alienprotocol
    Thanks for the help. I'm not as up on my apache config as my php/mysql. It's my understanding that serving both http & https on the same machine always means separate apache instances. Almost like different physical boxes. Is that correct?
    To be honest I don't know. I've done a ctrl + alt + del on my machine and can only see one instance of Apache running.
    Quote Originally Posted by alienprotocol
    The above looks to me like it's written to work with custom session handling in the database. In that case, just appending the session id to the URL allows php to pass it to the custom session handers which in turn grab the data from the database.
    That's not true. That script is just a simple self contained example to demonstrate a handover of data between http and https. The reason I appended the session ID to the URL is because it would otherwise have been lost in the handover.
    Quote Originally Posted by alienprotocol
    It also looks like we're passing the session id around quite publicly.
    With a standard http connection the session ID is always very public whether it's being passed as a cookie or appended to the url; if you believe any different you are kidding yourself. With an https connection (SSL) the URL is encrypted. In fact this is the very reason Apache's name based virtual hosts is not possible with SSL.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles