/    Sign up×
Community /Pin to ProfileBookmark

SSL & Session Issues

Copy linkTweet thisAlerts:
Nov 08.2008

I’m not sure if this should be in the PHP section or not, but I’m not sure if the issue is PHP-related, .htaccess-related, or even something else.

When doing final testing on my new website, I was surprised to come across a problem with my membership registration system. It’s built with PHP, and is pretty conventional – log in info is submitted via POST, PHP authenticates it with the help of MySQL, and PHP sets session variables which are used to check if the user is logged in on certain pages. The PHP scripts that are used to POST to and set the session information are required to use SSL.

In my tests using Safari, everything worked fine. However, in IE, I log in, and it seems like everything is fine, but my session doesn’t work. My credentials are POST-ed correctly because PHP doesn’t output any errors, but it’s like the session doesn’t realize I’m logged in because when I try and access protected pages, I’m sent back to the log in page.

Is using SSL and setting the regenerated session cookie screwing things up? I can’t figure out the problem!

Any help would be greatly appreciated.

Thanks! ?

to post a comment
PHP

2 Comments(s)

Copy linkTweet thisAlerts:
@svidgenNov 08.2008 — My best educated guess is that you're changing subdomains after authentication. So, perhaps your login form is posting to [I]www.yoursite.com[/I], whereas all of your links point to [I]yoursite.com[/I] (note the missing [I]www[/I]). Safari may be assuming (or somehow deducing) that the cookies it has are associated with both domains, whereas IE may take a slightly more anal (and secure) approach and be more restrictive.

If this happens to be the problem, there are two solutions. You could "correct" your links, so they all point to the same domain/subdomain. Or, you could try modifying the parameters of your session cookie--setting the domain to [I].yoursite.com[/I] instead of [I]yoursite.com[/I] or [I]www.yoursite.com[/I].

If this isn't your problem, it's possible (though unlikely) that PHP is getting excited and sending the [I]secure[/I] flag in the cookie header. See [I]http://us2.php.net/setcookie[/I] for details on PHP's cookie setting options.

If you're just using the PHP's built-in session functions, you may need to alter the cookie parameters via session_set_cookie_params().

Does that help?
Copy linkTweet thisAlerts:
@phpfreakauthorNov 08.2008 — Thanks so much! I think it was a combination of the subdomain (www vs no www) and my PHP function that I use to check if the user is logged in. I forgot that I had the function set to only allow my admin account to view the pages - I had been trying to log in with another account.

Thanks again.
×

Success!

Help @phpfreak spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 4.29,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...