I recently built a Content Management System, and I'm using session variables throughout my code. However, I just switched over to HTTPS, and now it appears the session variables aren't working.
I've done a lot of research, but unfortunately I haven't found a solution to this problem yet. I'm thinking there has to be a setting in the "php.ini", or the IIS Manager (I'm currently using IIS 7.5) that I'm not seeing.
I found that in ISS Manager, under ASP -> Session Properties -> New ID On Secure Connection defaults to True - I can definitely see that being a problem if it's doing the same thing somewhere with PHP, but I can't find it if that's an option.
I'm initializing the session_start(); at the very beginning of the document (nothing comes before it), and it works fine over HTTP, just not HTTPS. Additionally, I've updated the base_url to include the https:// on any redirects, so it's not going from HTTP to HTTPS, it's strictly going over HTTPS.
Thanks in advance for any suggestions of where I might look.
Related
I made a website that has an integrated shopping cart. Of course, I use a lot of session variables to do this. When I uploaded the site to inmotion hosting and made it an SSL connection, my session variables stopped transferring over? I have no idea why. I think part of it is because the sites are originally HTTP, then they are being forced to change to https, thus losing the session?
Any help would be amazing!
Ok I have tried changing the cookie domain and the cookie secure in the php.ini files but neither has helped. Please help!
Cookies have a secure flag on them which means that they can't be used on http sites. At HTTP connection, when you session_start(), PHP creates a new session id, which replaces the previous session id.
I believe you can unset that with session.cookie_secure = 1 in php.ini
I'm encountering a problem with a server that is seemingly disallowing session support which is causing problems with a site I am building there. Session data can be written but only persists on the same page and is not available elsewhere. I've tested identical code on a localhost server and it works correctly. An output of the session details from phpinfo() follows:
The server has a browser based admin tool cPanel 64.12 but there doesn't seem to be a way to access the php.ini file so I can enable proper session functionality.
Does the image above indicate that session functionality is indeed disabled, and is there a way to access the php.ini file through cPanel or another approach that can assist? I assume that the security of the server will mean that this in not possible without an admin getting involved which is difficult on an Easter weekend.
Any advice or opinions would be appreciated.
Many thanks,
Kw
I'm trying to fix a really elusive bug where I lose my session upon redirect.
In my local setup, there is no problem; it only manifests itself on the live site. I discovered that my local version was creating two identical cookies: one for .mydomain.com and one for www.mydomain.com. However, the live site creates only one cookie for .mydomain.com.
It seems as though my script is looking for the www.mydomain.com cookie, which is why there's no apparent problem on the local server.
How do I determine to which domain a given script will look for its cookies? (or if this sounds like a different problem, please let me know)
Use setcookie(key, value, expire_time, '/') this will add cookie for your site's document root, either www.domain.com or domain.com will work fine.
I'm not an expert and don't want to make a mistake, so please forgive me if the answer is obvious (better safe than sorry).
I finished a Flex app using FB4.5 and uploaded and tested it fine to a shared host. I'm now in the process of securing the app using https, but have landed in a quagmire.
First:
I forced the load of all pages to https with .htaccess so that the Flex app loads with SSL. Problem is that I get a connection failed ('BadVersion') when the app makes a data service call using the gateway.php file because of the .htaccess force (it is looking for http rather than https). I believe I can hardcode the https path in the Flash Builder class file, but I don't want prevent the app from working on my dev machine either. Any thoughts here?
Also, even if the gateway.php file is called using SSL, will the following calls to the PHP files containing the actual SQL queries fail because of the forced SSL by the .htaccess directives.
Second:
Instead of using .htaccess, I have also successfully used PHP to secure the initial launch of the app with a https redirect statement in the beginning. This allows the app to work, calling the gateway.php file fine because it isn't forcing https on everything. BUT, this defeats the purpose of trying to get everything to be encrypted.
Third:
Is is it necessary to have the gateway.php file launched on SSL because of transmitting in binary AMF?
Thoughts? Explanations? Things I'm missing. Suggestions?
Thanks in advance.
If your AMF calls are going over HTTPS, then you need to use a SecureAMFChannel rather than a vanilla AMFChannel.
Typcially this is configured either in the client, where you have declared your RemoteObject or ChannelSet, or in the services-config.xml file.
Most likely, this mismatch is what's causing the BadVersion error you're getting.
I'm having some sessions problems after my ISP moved my site to a new server, supposedly setup the same. The problem appears to be browser-specific as well, which I don't quite understand.
First, my site uses sessions to login, this has been broken since they moved the site.
My ISP has set up a test page. When I hit this page in IE 6 (where it sets some session vars) and then hit the "header redirect" button, sessions seem to work fine. If I try it in Firefox/Opera, I get a new session id on the redirected page. My ISP reports sessions are working for IE as well, though I imagine they're using IE7 or perhaps even 8.
Everything was working fine on my site before my ISP moved it and while they've been very helpful in responding, they're at a loss as to why it's broken. A couple of other of my sites with them were broken along with the move, but they have been resolved by server tweaks...Does anyone have any ideas what's going on?
You're redirecting from "launchcomplex.com" to "www.launchcomplex.com"
If you set session.cookie_domain it should work - see session_set_cookie_params()
Cookie domain, for example 'www.php.net'. To make cookies visible on all subdomains then the domain must be prefixed with a dot like '.php.net'.
When they moved servers, did they move to a clustered configuration? Meaning when I hit your web page, am I always requesting content from the same physical server, or could be be any of a cluster of servers?
If the latter, that is your problem. Sessions are by default file-based, and thus are not scalable to multiple servers.
One solution is to use session_set_save_handler() to write your own session manager. Usually you would use a database to read/write session data using this method.