Search the Community
Showing results for tags 'ssl php sessions security'.
Found 1 result
-
I am using the scripts (at the end) on a shared debian server at my web host's remote facility. My purpose is to have a fully SSL site. The web host gave this format of URL for my SSL: https://hostaddress.net/example/ where www.example.com is the domain name. Map: /web/index.php (script below) /web/testbed/htdocs/test_page_SA.php (script below) /web/testbed/htdocs/test_page_SB.php (script below) The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php. Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache on the client (firefox). At each test I try both www.example.com and example.com (both lead to index.php). Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB. I've searched far and wide to try to resolve this issue, and now it's forum time. Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess? I conducted the following tests to try to isolate the issue, but failed to find an answer. Test 1 - non-SSL - the base http script that works: htaccess script is blank; http is used; $params secure = false. Result: test_page_SA and test_page_SB run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn. Test 2 - non-SSL: htaccess script is blank; http used; $params secure = true. Result: test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 3 - non-SSL: htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 Result: Exactly the same output as Test 2. Test 4 - non-SSL: htaccess (above); http used; $params secure = false. Result: Success as in Test 1. Test 5: htaccess (below, as supplied by the web host); https used; $params secure = false. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L] Result: test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 6: htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https. Result: https://hostaddress.net/example/testbed/htdocs/test_page_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed/htdocs/test_page_SB.php shows in the address bar. As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. #### index.php <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = false; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); $url = "testbed/htdocs/test_page_SA.php"; header("Location: $url"); exit(); ?> #### test_page_SA.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SA.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SA session_id() = ".session_id()."<br>"; if(!isset($_SESSION['test1'])) { $_SESSION['test1'] = "test1"; echo "33 not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>"; } else { echo "37 SA set, so SA _session[test1] = ".$_SESSION['test1']."<br>"; echo "38 SA _session[name] = ".$_SESSION['name']."<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "46 SA _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SB.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?> #### test_page_SB.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SB.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SB session_id() = ".session_id()."<br>"; if(isset($_SESSION['test1'])) { echo "32 SB _session[test1] = ".$_SESSION['test1']."<br>"; echo "33 SB _session[name] = ".$_SESSION['name']."<br>"; } else { echo "37 SB _session[test1] not set<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "45 SB _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SA.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?>
