	Home Web Hosting domains Domains

Customer Support

Support Categories:

Getting Started
FTP
Moving Domains
E-mail
Stat Reports
Mailing Lists
Apache
PHP
CGI
MySQL Database
Other Software
Billing & Terms
Control Panel
E-commerce
Pre-Sales

Search for keywords:

Browse by category:

My PHP session is lost whenever I go to a secure URL using the shared SSL certificate.

The reason the PHP session is lost is because PHP sessions are based on cookies and cookies are only valid at the domain where they were set.

When you are at http://www.yourdomain.com you are at the domain "yourdomain.com" and can set and retrieve a cookie to keep your PHP session alive between requests.

However, when you change to the shared SSL URL of https://secure.modwest.com/yourdomain.com/ you are at the domain "modwest.com" and do not have any access to any cookies set by "yourdomain.com". This is a security limitation of the cookie protocol, not of PHP or the hosting environment.

Because of this security limitation, the PHP session, which relies on cookies, is lost, and a new session is started. The new session will only be valid while your visitor is at the secure URL. When you give them a link back to http://www.yourdomain.com then their original session will come back to them and the one set at "secure.modwest.com" will be inaccessible to you.

The only reasonable solution to the problem of loosing the PHP session at the shared SSL URL is to get an SSL certificate for your own domain name if you need SSL and PHP sessions instead of using our shared SSL certificate. That way your secure URL will be at the same domain name as your insecure URL, which means your cookie will be accessible at both URLs which means your PHP sessions will survive the change from non-SSL to SSL pages.

User-Contributed Notes

john -at- cyborgcomputing.com
25-Aug-2005 14:19

There is another alternative...  One that I have used for a couple of
years very successfully.

On the links that go to secure.modwest.com/yourdomain.com/xyz.php add
something like ?PHPSESSID=the_session_id

Then in your scripts, if you are passed the session id, use it.  This
has some security risks involved, but nothing that doesn't already
exists. 

You could do some reasonable checks of the Session against the IP
Address and browser information to be relatively sure you are dealing
with the proper person/computer.

Just my 2 cents

john@bowlingball.com
http://www.bowlingball.com

john -at- cyborgcomputing.com
25-Aug-2005 14:21

Sorry, I forgot to mention that in order to use it, simply:

if (isset($_REQUEST[PHPSESSID])) {
  session_id($_REQUEST[PHPSESSID]);
}

BEWARE:  A blank session id is VALID.  So do not simply call
session_id($_REQUEST[PHPSESSID]);

Related Questions:

How do I set PHP include_path?

What PHP modules are available and how do I load them?

How do I change timezone for PHP?

How do I do html form file uploads?

Can I run a PHP script on cron?

Why does a PHP function give an error that it is undefined?

Why does PHP HTTP authentication not work?

Can you change session cookie timeout in php.ini for me?

Why does my PHP script throw an Internal Server Error 500?

I can't upload a file larger than 8MB through a PHP script

What version of PHP are you running and can I see a phpinfo()?

Do you have a quick form mail script?

Do you offer PHP5 with MySQLi?

Can I use a PHP extension like PDFlib that I have personally purchased a license to use?

Can I have all .html pages parsed as PHP?

What's the difference between running PHP as a cgi or as a module in safe mode?

Do you provide PEAR?

The PHP curl module doesn't work.

Where is the php_error_log?

Where can I download free PHP scripts?

Do I need to set any 777 permissions in order for my PHP scripts to create files and directories?

How do I get different character sets within my PHP page to display correctly?

Can I use Smarty Templates?

The PDFlib extension gives a UPR description error.

How do I execute my .php files as PHP 5?

How do I use the url_rewriter.tags setting for PHP?

Why does flush() not flush the data to my browser?

Why does PHPLIB sessions give me a MySQL Database error?

The pfpro pfpro_process() function keeps giving me Error 31

Will my Zend Encoded files work?

Will IonCube encoded files work?

What is CAPTCHA? How can I use it?

I need the virtual() function and it is not available.

Why does getallheaders() say undefined function?

Can I talk over SSL when opening an IMAP connection with the PHP imap_open() function?

My PHP script needs a newer version of Zend Optimizer. What do I do?

How can one PHP file transparently handle all search-engine friendly URLs?

How do I put PHP sessions into a database instead of the default files-based method?

Browse Categories:

Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales