With SSL: not saving sessions, cookies not being sent

[tork]

I am using the scripts (at the end) on a shared debian server at my web host's remote facility.

 

My purpose is to have a fully SSL site. The web host gave this format of URL for my SSL:  https://hostaddress.net/example/  where www.example.com is the domain name.

 

Map:

/web/index.php    (script below)

/web/testbed/htdocs/test_page_SA.php   (script below)

/web/testbed/htdocs/test_page_SB.php    (script below)

 

The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php.

Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache  on the client (firefox).

At each test I try both www.example.com and example.com (both lead to index.php).

Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB.

 

I've searched far and wide to try to resolve this issue, and now it's forum time.

 

Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess?

 

I conducted the following tests to try to isolate the issue, but failed to find an answer.

 

Test 1 - non-SSL - the base http script that works:

htaccess script is blank; http is used; $params secure = false.

Result:

test_page_SA  and test_page_SB  run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn.

 

Test 2 - non-SSL:

htaccess script is blank; http used; $params secure = true.

Result:

test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved.

 

Test 3 - non-SSL:

htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80

Result:

Exactly the same output as Test 2.

 

Test 4 - non-SSL:

htaccess (above); http used; $params secure = false.

Result:

Success as in Test 1.

 

Test 5:

htaccess (below, as supplied by the web host); https used; $params secure = false.

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L]

Result:

test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

 

Test 6:

htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https.

Result:

https://hostaddress.net/example/testbed/htdocs/test_page_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed/htdocs/test_page_SB.php shows in the address bar.  As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

 

#### index.php

<?php
session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = false;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();

$url = "testbed/htdocs/test_page_SA.php";
header("Location: $url");
exit();
?>


#### test_page_SA.php:

<?php
session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SA.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "28 SA session_id() = ".session_id()."<br>";
if(!isset($_SESSION['test1']))
{
    $_SESSION['test1'] = "test1";
    echo "33 not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>";
}
else
{
    echo "37 SA set, so SA _session[test1] = ".$_SESSION['test1']."<br>";
    echo "38 SA _session[name] = ".$_SESSION['name']."<br>";
}
if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "46 SA _session[name] = ".$_SESSION['name']."<br>";
        $url = "test_page_SB.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
        	<input type="text" id="full_latin_name" name="full_latin_name" />
	</div>
            <div>
	            <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>


#### test_page_SB.php:

<?php
session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SB.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "28 SB session_id() = ".session_id()."<br>";

if(isset($_SESSION['test1']))
{
    echo "32 SB _session[test1] = ".$_SESSION['test1']."<br>";
    echo "33 SB _session[name] = ".$_SESSION['name']."<br>";
}
else
{
    echo "37 SB _session[test1] not set<br>";
}

if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "45 SB _session[name] = ".$_SESSION['name']."<br>";

        $url = "test_page_SA.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
        	<input type="text" id="full_latin_name" name="full_latin_name" />
	</div>
            <div>
	            <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>

[tork]

Here's the input/output to make this easier to understand ..

 

 

#### Test 1 input/output (HTTP):

Start ..

 

URL is HTTP

 

into test_page_SA.php     (output stating the script id)

 

Page SA    (link)

 

Page SB    (link)

 

28 SA session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl     (output from server, and firebug 'cookie', with firebug secure=blank)

33 not set, so now set SA _session[test1] = test1         (output proving $_session took the value)

Full name [__________]           (input box)

 

[Enter the name Jim ..]

 

The response is ..

 

URL is HTTP

 

into test_page_SB.php

 

Page SA

 

Page SB

 

28 SB session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl  (output from server, and firebug 'cookie', with firebug secure=blank)

32 SB _session[test1] = test1                          (proves the session variables are being kept)

33 SB _session[name] = Jim                             (proves the form input is being accepted then assigned to a session variable ok)

Full name  [_________]

 

 

 

#### Test 6 input/output (HTTPS):

Start ..

 

URL is HTTPS

 

into test_page_SA.php

 

Page SA

 

Page SB

 

28 SA session_id() = eeikccp2m9d0uecqa82glvfsa6u0v3lt    (output from server; firebug 'cookie' shows nothing)

33 not set, so now set SA _session[test1] = test1

Full name  {_________}

 

[Enter the name Jim ..]

 

The response is ..

 

URL is HTTPS

 

into test_page_SB.php

 

Page SA

 

Page SB

 

28 SB session_id() = plqm2pnv3eqnl6bign0rr63rhl29n6kb   (output from server; firebug 'cookie' shows nothing)

37 SB _session[test1] not set                           (The session variables are not being sent from the server)

Full name   {__________}

 

                                                        (Notice that the session_id is different for each cycle in Test 6!)

 

[tork]

By trial and error I found the answer:

 

It seems that when SSL is used (test 6), setcookie is required as follows:

 

setcookie('sessionname', session_id(), time()+whatever, '/', 'theSSLhostaddress', true, true or false);

 

Also, the htaccess works in test 6.

 

The non-SSL script (test 1) did not require setcookie!

 

Hope this helps.