tork Posted November 23, 2014 Share Posted November 23, 2014 I am using the scripts (at the end) on a shared debian server at my web host's remote facility. My purpose is to have a fully SSL site. The web host gave this format of URL for my SSL: https://hostaddress.net/example/ where www.example.com is the domain name. Map: /web/index.php (script below) /web/testbed/htdocs/test_page_SA.php (script below) /web/testbed/htdocs/test_page_SB.php (script below) The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php. Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache on the client (firefox). At each test I try both www.example.com and example.com (both lead to index.php). Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB. I've searched far and wide to try to resolve this issue, and now it's forum time. Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess? I conducted the following tests to try to isolate the issue, but failed to find an answer. Test 1 - non-SSL - the base http script that works: htaccess script is blank; http is used; $params secure = false. Result: test_page_SA and test_page_SB run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn. Test 2 - non-SSL: htaccess script is blank; http used; $params secure = true. Result: test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 3 - non-SSL: htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 Result: Exactly the same output as Test 2. Test 4 - non-SSL: htaccess (above); http used; $params secure = false. Result: Success as in Test 1. Test 5: htaccess (below, as supplied by the web host); https used; $params secure = false. RewriteEngine On RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC] RewriteCond %{SERVER_PORT} 80 RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L] Result: test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. Test 6: htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https. Result: https://hostaddress.net/example/testbed/htdocs/test_page_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed/htdocs/test_page_SB.php shows in the address bar. As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved. #### index.php <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = false; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); $url = "testbed/htdocs/test_page_SA.php"; header("Location: $url"); exit(); ?> #### test_page_SA.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SA.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SA session_id() = ".session_id()."<br>"; if(!isset($_SESSION['test1'])) { $_SESSION['test1'] = "test1"; echo "33 not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>"; } else { echo "37 SA set, so SA _session[test1] = ".$_SESSION['test1']."<br>"; echo "38 SA _session[name] = ".$_SESSION['name']."<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "46 SA _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SB.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?> #### test_page_SB.php: <?php session_name('PHPSESSION'); $lifetime = 7200; $path = '/'; $domain = '.example.com'; $secure = true; $httponly = false; session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly); session_start(); ?> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <?php ob_start(); echo "into test_page_SB.php<br><br>"; ?> </head> <body> <div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br> <div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br> <?php echo "28 SB session_id() = ".session_id()."<br>"; if(isset($_SESSION['test1'])) { echo "32 SB _session[test1] = ".$_SESSION['test1']."<br>"; echo "33 SB _session[name] = ".$_SESSION['name']."<br>"; } else { echo "37 SB _session[test1] not set<br>"; } if (isset($_POST['submitted_A'])) { if(isset($_POST['full_latin_name'])) { $_SESSION['name'] = $_POST['full_latin_name']; echo "45 SB _session[name] = ".$_SESSION['name']."<br>"; $url = "test_page_SA.php"; ob_end_clean(); header("Location: $url"); exit(); } } ?> <form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>"> <div> <label for="full_latin_name">Full name</label> <input type="text" id="full_latin_name" name="full_latin_name" /> </div> <div> <input type="submit" id="submit" name="submit" value="Save" /> <input type="hidden" name="submitted_A" value="TRUE" /> </div> </form> </body> </html> <?php ob_end_flush(); ?> Quote Link to comment https://forums.phpfreaks.com/topic/292650-with-ssl-not-saving-sessions-cookies-not-being-sent/ Share on other sites More sharing options...
tork Posted November 23, 2014 Author Share Posted November 23, 2014 Here's the input/output to make this easier to understand .. #### Test 1 input/output (HTTP): Start .. URL is HTTP into test_page_SA.php (output stating the script id) Page SA (link) Page SB (link) 28 SA session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank) 33 not set, so now set SA _session[test1] = test1 (output proving $_session took the value) Full name [__________] (input box) [Enter the name Jim ..] The response is .. URL is HTTP into test_page_SB.php Page SA Page SB 28 SB session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank) 32 SB _session[test1] = test1 (proves the session variables are being kept) 33 SB _session[name] = Jim (proves the form input is being accepted then assigned to a session variable ok) Full name [_________] #### Test 6 input/output (HTTPS): Start .. URL is HTTPS into test_page_SA.php Page SA Page SB 28 SA session_id() = eeikccp2m9d0uecqa82glvfsa6u0v3lt (output from server; firebug 'cookie' shows nothing) 33 not set, so now set SA _session[test1] = test1 Full name {_________} [Enter the name Jim ..] The response is .. URL is HTTPS into test_page_SB.php Page SA Page SB 28 SB session_id() = plqm2pnv3eqnl6bign0rr63rhl29n6kb (output from server; firebug 'cookie' shows nothing) 37 SB _session[test1] not set (The session variables are not being sent from the server) Full name {__________} (Notice that the session_id is different for each cycle in Test 6!) Quote Link to comment https://forums.phpfreaks.com/topic/292650-with-ssl-not-saving-sessions-cookies-not-being-sent/#findComment-1497353 Share on other sites More sharing options...
Solution tork Posted November 24, 2014 Author Solution Share Posted November 24, 2014 By trial and error I found the answer: It seems that when SSL is used (test 6), setcookie is required as follows: setcookie('sessionname', session_id(), time()+whatever, '/', 'theSSLhostaddress', true, true or false); Also, the htaccess works in test 6. The non-SSL script (test 1) did not require setcookie! Hope this helps. Quote Link to comment https://forums.phpfreaks.com/topic/292650-with-ssl-not-saving-sessions-cookies-not-being-sent/#findComment-1497550 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.