I have developed a mvc site from scratch and locally it works, but what a surprise ! Trying the site uploaded to my hosting it doesn't work.
The login sequence is the following:
Every page checks if you are loged (http) and redirect to login page (https) if you don't.
Always you will be redirected to login page.
After some research, I have discovered the reason: php session is lost between https and http.
I don't understand why works locally and remotely not, but I think due php local settings set php sesssion identifier as PHPESSID for http & https and remote settings not.
Thinking about the trouble, I understand I can fix the issue passing the session identifier from https to http or making the whole site https rewriting the urls as follow:
intranet.mysite.com/anypage/
Hosting shared ssl
https://server.subdomain/~user/public_html/intranet/anypage/
Additional information
the page is hosted under hostgator. The url paths are
site
intranet.mydomain.com
ssl shared access
https://gatorxxx.hostgator.com/~user/intranet
how I can make session works between urls ?
thanks.
If I understand correctly you host the SSL page on a different domain? The PHP session cookie is lost then, because the cookie is bound by subdomain (or domain, whichever the cookiedomain is set to).
Related
I have recently created a laravel project, and I am facing issues with it since I am trying to get it setup with SSL (Cloudflare).
What is the best way to redirect the user to the secured enviroment correctly in laravel 5?
Also, my CSS and JS are not beeing loaded in due to the fact that http is not allowed and my browser blocks the files from beeing loaded because they could be potential harmfull. (Which is not the case though, to be clear)
Can someone get me off the right track?
Redirecting your site users to a secure url (https://) should NOT be the job of the framework. This type of behavior should be handled on the DNS and A record level.
Redirecting from HTTP to HTTPS should be handled by the webserver.
Your assets are probably blocked because they are unencrypted (HTTP) on an encrypted site (HTTPS). You can solve that by using protocol relative URLs:
<script src=”//ajax.microsoft.com/ajax/jquery/jquery-1.3.2.min.js” type=”text/javascript”></script>
Note the // instead of http:// or https://. This will cause your assets to be fetched using the same protocol as the site.
Laravel has a helper function for secure assets: secure_asset()
http://laravel.com/docs/5.1/helpers#method-secure-asset
Im trying to use the facebook login from https://github.com/facebook/facebook-php-sdk
It works fine over HTTP but fails to login over HTTPS, The app page lists the login page as https://my.url.com
Both pages have a get redirect with code and state, which are the same length for the working and non working URL.
I would prefer to use https for all login pages.
By Doesnt work I mean after a successful login the token is appid|appsecret and the user returns ID of 0 instead of the actual user id which has just completed the login
Found the issue to be the Redirect URL. Code was being used from http://webcheatsheet.com/php/get_current_page_url.php
which puts the port :443 on the url. During the redirect the facebook info gets "lost"
Changing their code to allow for this fixes the problem. though with or without the :443 its still a valid URL and should really work
Have you considered using the HybridAuth library? I've always had it dump me into https on Facebook
The :443 is what tells the browser to connect over HTTPS, the default port for HTTP is 80 and 443 for HTTPS.
Perhaps the issue is something to do with Facebook having cached your domain as port 80
You can clear facebook's cache of your site, and troubleshoot other URL related problems with their official URL debugger https://developers.facebook.com/tools/debug/
I have a homebrew CMS installed on two different web servers. Each maintain the same code. I have had a really annoying problem when I try passing $_SESSION variables between different domains.
My CMS is on domain1.com. The website it is controlling is on domain2.com. My system passes all the session variables for the login information from domain1.com to domain2.com via a url link (domain1.com has a link like this: http://domain2.com?sessionId=1gh...)(sessionId is generated by session_id()). domain2.com retrieves the session id and does session_id($_GET['sessionId']) to set the session and grab the variables. It then proceeds to show a bar at the top with admin features.
This system works well on one of my hosts, as well as my localhost. But I recently transferred to a different host and installed my CMS with the same code with success. Everything works except for this feature. When I click on the link and try to set the session_id, the session_id changes, but the $_SESSION variables are removed. When I return to my CMS, I have to relogin. Somehow on this host, changing the session_id deletes the $_SESSION variables.
I have never liked session variables and I would not use them if I were to start again (I would probably use plain cookies). But I really need to figure this out. The host that it works on is Bluehost, with both domains hosted by Bluehost. The host that it does not work on is [EDIT]ByteHost, and the domain registrar is Godaddy.
Here is some example code from domain2.com:
...
if ( $_GET['sessionId'] )
{
session_id($_GET['sessionId']);
}
session_start();
echo session_id(); // returns the proper sessionId passed through the url
print_r($_SESSION); // does not work. returns array()
...
I can guarantee that the $_SESSION variables existed before, because I was still logged into my CMS.
Any ideas why session variables work on 1 host, but not on another?
I tried replacing the php.ini file with the working host one. Problem was still there.
Thank you for your time!
UPDATE
I ended up removing this from my CMS. Now, I just pass the login details over the url and it logs the person in. It works a lot cleaner.
Here are some reasons why this may not be working:
different physical server
different account for each domain (even if it's the same physical server)
different apache/php daemon for the domains (some shared hosting sites will create a separate directory for each domain, and then restrict apache from sharing information between domains. This will also have the effect of preventing session information from being passed. Think about it - do you want someone else's domain on the same hosting provider to have access to YOUR client's session info?)
configuration (apache or php), or .htaccess rules
Here is what I will recommend: stop doing this. This is a great opportunity to fix a very serious security flaw in your code. By the time you diagnose it with the hosting provider, you could probably just rewrite everything you need using HTML5 storage or secure cookies.
My guess is that the hosting provider is smart enough to protect session information form being stolen from another domain. But in either case, I strongly recommend you change the code so that it does not need to steal session information from another domain.
To have a session on multiple domains you would need to have the session id passed in the url instead of the sessions cookie as cookies only work on a single domain basis.
Using subdomains would solve the problem if they're not separate customers a.domain.com and b.domain.com
Sorry for the confusion. To clarify my question, the session will be created over ssl and will stay encrypted. While users browse using normal http, I'm asking if I "require" a ssl page that verifies the users' session, will it run in ssl or will it simply be a part of the parent page which is in http which will be unable to retrieve the session id because the session is saved in https.
I'm currently working on a secure member log in with php.
A log in form will redirect to a ssl url (i.e. https) to keep the password safe for people who are logging in using unencrypted network/wifi.
The only problem is, I can't think of any way to "securely" pass users' log in session from https to http.
So I was thinking to use "require_once" from php which includes a file url starting with https. And the included file will create a session under https and all I have to do is simply require the page in every authentication-required page.
The only issue is, I'm not too sure if the "required file" will run under https or the codes will simply be included in the parent page and run under http.
In other words, how exactly does include or require work (does the function run the code in the separate page or simply include the code in the parent page and run)? I searched php manual, but I was't able to find the answer. Also, I can't test it by myself because I don't have ssl license yet.
Also, any suggestion on building a secure log in using https (just for log in) in combination with http for any other user interface?
include() and require() will only go 'external' and do an HTTP-type request if the path you're providing to them looks like a url (e.g. 'http://....'). Otherwise it's interpreted as a local file file request and does NOT involve the HTTP layer.
There's no practical difference to PHP if a script was requested via HTTP or HTTPS, except there'll be extra SSL-specific entries in $_SERVER. Includes/requires still work as they if the script was running in a non-SSL environment, and the script can still do CURL requests and whatnot. Remember that the SSL link is established by the server and the client browser BEFORE php is invoked, and applies only to do the client<->server communications. Anything the script does with external resources will only involve SSL if the resources requested themselves are done via a completely separate SSL request.
You cannot "turn on" SSL from within a PHP script. There's no mechanism in HTTP to dynamically migrate a link from a regular unencrypted port 80 to an encrypted port 443 within the same request. You can redirect the client towards an SSL url, but that involves a completely new HTTP request - the original request started as non-SSL and will stay non-SSL.
Edit: The below is an answer to the original question, which was phrased in a way that made it sound like the author only wanted the login page to be protected.
I assume that the reason you want to redirect back to HTTP is that the site contents itself isn't confidential, and that you only care about protecting the user's password and account. However, if you redirect the user back to HTTP after logging in, your site will be almost as insecure as if you didn't use HTTPS at all. Granted, HTTPS login will prevent the user's password from being sniffed, but anyone can use Firesheep or similar applications to steal the user's session id after login if you redirect back to HTTP - then, they can take over the account by changing the password (or simply act as the user without changing the password).
(While we're on the subject: why on Earth doesn't StackOverflow use HTTPS after login?) :-(
In order to maintain security, you need to ensure the https:// is in the user's address bar at all times. You can't just include a file and expect it to be secure.
Think of it this way. Say you have a form on http:// and you make a curl call to https:// # Verisign to post a credit card payment. That unencrypted data can easily be intercepted before it reaches Verisign's secure page.
If it's SSL, keep it SSL throughout the entire session. You'll notice on bank sites, there is usually a login button which directs you to an https:// page containing the form - OR they mix it by grabbing your username on the http:// page and then posting that to the https:// page before asking for your password. US Bank does this just to get the user engaged on the home page.
EDIT:
To respond to the new clarification. I would not let a user browse http:// pages while logged in via https://. I would add this logic:
if(isset($_SESSION['LOGGED_IN_SSL']))
{
if ($_SERVER['HTTPS'] != "on")
{
$url = "https://". $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: $url");
exit();
}
}
That would force the user to view the https:// version of whatever page he/she wishes to view.
so what i am trying to do is this:
login to the other server with a PHP on my own server (either with my username and pass/or with my cookies)
then have access to the page i want to display/download
i want to write a PHP script that is located on my own server, that automatically does a login to another server, that uses HTTPS and a web form for login.
after the login i have access to that page that i am trying to download.
i dont know if it would be possible to login and download the html only with the cookies that i have in my browser through a previous login, or if i need to do the login in my php script through some https login method.
can i do any of this with curl or fsocksopen or what would be the best way to realize this?
thanks in advance!
you just have to try. in most cases you should be fine if you export your cookies and use them in your curl request.
however the website mave hashed the cookies with the remote address, or given a timeout on them.
then you probably have to login from the server. with php / curl you can do that all.
the only thing that may be a problem is javascript/captcha codes.
in addition you should definately check zend http client, it has functionalities that makes "browsing" easy. for example saving cookies and automatically passing them on in the next request and also deleting them if the server tells you so etc.
Use the PEAR HTTP Request class.