PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Wed Dec 19, 2018 10:29 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Sun Nov 23, 2014 11:06 am 
Offline
Forum Newbie

Joined: Sun Nov 23, 2014 10:26 am
Posts: 15
Hi. Firstly, I apologize for the length of this post, however I thought it best to provide you the total environment. I've searched far and wide to try to resolve this issue. I hope you can help.

I am using the scripts (below) on a shared debian server at my web host's remote facility.

My purpose is to have a fully SSL site. The web host gave this format of URL for my shared server SSL: https://hostaddress.net/example/ where http://www.example.com is the domain name.

Map:
/web/index.php (script below)
/web/testbed/htdocs/test_page_SA.php (script below)
/web/testbed/htdocs/test_page_SB.php (script below)

The index.php directs to test_page_SA.php successfully in each circumstance that I'll describe, test_page_SA.php directs to test_page_SB.php as written, and test_page_SB.php directs back to test_page_SA.php.
Before every test I delete the sessions at the server, and also delete the cookies, browsing and download history, and cache on the client (firefox).
At each test I try both http://www.example.com and example.com (both lead to index.php).
Whenever $params are set, they are set in index.php, test_page_SA and test_page_SB.

Question: How do I get the session data to be saved on the server and the cookie saved on the client, while using $params secure=true and the SSL URL in htaccess?

I conducted the following tests to try to isolate the issue, but failed to find an answer.

### Test 1 - non-SSL - the base http script that works:
htaccess script is blank; http is used; $params secure = false.
Result:
test_page_SA and test_page_SB run successfully, unchanging cookie observed in Firebug (security = blank), at first giving the session id/cookie and the test1 session variable value, then when the input is saved, the output succeeds at giving the session id and both the test1 and name session variable values with both scripts in turn.

### Test 2 - non-SSL:
htaccess script is blank; http used; $params secure = true.
Result:
test_page_SA fails to send the input to test_page_SB, cookie observed in Firebug (security = secure) and it changes at every save, only the session id/cookie is shown, neither session variables shown. Identical results when input in test_page_SB has data saved.

### Test 3 - non-SSL:
htaccess (below) is tried before using the SSL URL to be sure these lines are not an issue; http used; $params secure = true.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80
Result:
Exactly the same output as Test 2.

### Test 4 - non-SSL:
htaccess (above); http used; $params secure = false.
Result:
Success as in Test 1. So the chunk of htaccess code is not affecting the results.

### Test 5:
htaccess (below, as supplied by the web host); https used; $params secure = false.
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.*)example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://hostaddress.net/example/$1 [R,L]
Result:
test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

### Test 6:
htaccess (above); https used; $params secure = true. I understand that this parameter should be set to true when using https.
Result:
https://hostaddress.net/example/testbed ... age_SA.php shows as the URL in the address bar, as do the URLs in the two menu items hrefs. When a value is input, https://hostaddress.net/example/testbed ... age_SB.php shows in the address bar. As in Test 5, test_page_SA fails to send the input to test_page_SB, cookie NOT observed in Firebug and changes at every save, only the session id/cookie is shown as output, neither session variables shown. Identical results when input in test_page_SB has data saved.

############ Scripts:

Syntax: [ Download ] [ Hide ]
<?php
#### index.php

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = false;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();

$url = "testbed/htdocs/test_page_SA.php";
header("Location: $url");
exit();
?>

<?php
#### test_page_SA.php:

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SA.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "session_id() = ".session_id()."<br>";
if(!isset($_SESSION['test1']))
{
    $_SESSION['test1'] = "test1";
    echo "not set, so now set SA _session[test1] = ".$_SESSION['test1']."<br>";
}
else
{
    echo "set, so SA _session[test1] = ".$_SESSION['test1']."<br>";
    echo "_session[name] = ".$_SESSION['name']."<br>";
}
if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "_session[name] = ".$_SESSION['name']."<br>";
        $url = "test_page_SB.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
                <input type="text" id="full_latin_name" name="full_latin_name" />
        </div>
            <div>
                    <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>


<?php
#### test_page_SB.php:

session_name('PHPSESSION');
$lifetime = 7200;
$path = '/';
$domain = '.example.com';
$secure = true;
$httponly = false;
session_set_cookie_params($lifetime, $path, $domain, $secure, $httponly);
session_start();
?>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8" />
<?php
ob_start();
echo "into test_page_SB.php<br><br>";
?>
</head>
<body>
<div><a href="test_page_SA.php" title="Page SA">Page SA</a></div><br>
<div><a href="test_page_SB.php" title="Page SB">Page SB</a></div><br>
<?php
echo "session_id() = ".session_id()."<br>";

if(isset($_SESSION['test1']))
{
    echo "_session[test1] = ".$_SESSION['test1']."<br>";
    echo "_session[name] = ".$_SESSION['name']."<br>";
}
else
{
    echo "_session[test1] not set<br>";
}

if (isset($_POST['submitted_A']))
{
    if(isset($_POST['full_latin_name']))
    {
        $_SESSION['name'] = $_POST['full_latin_name'];
        echo "SB _session[name] = ".$_SESSION['name']."<br>";

        $url = "test_page_SA.php";
        ob_end_clean();
        header("Location: $url");
        exit();
    }
}
?>
<form method="post" class="" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <div>
            <label for="full_latin_name">Full name</label>
                <input type="text" id="full_latin_name" name="full_latin_name" />
        </div>
            <div>
                    <input type="submit" id="submit" name="submit" value="Save" />
                <input type="hidden" name="submitted_A" value="TRUE" />
            </div>
</form>
</body>
</html>
<?php
ob_end_flush();
?>
 




########## TEST INPUTS AND RESULTING OUTPUTS ..


#### Test 1 input/output (HTTP):
Start ..

URL is HTTP

into test_page_SA.php (output stating the script id)

Page SA (link)

Page SB (link)

session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank)
not set, so now set SA _session[test1] = test1 (output proving $_session took the value)
Full name [__________] (input box)

[Enter the name Jim ..]

The response is ..

URL is HTTP

into test_page_SB.php

Page SA

Page SB

session_id() = 1e3pq3v6ibj18adpigpor19ccg8ae4nl (output from server, and firebug 'cookie', with firebug secure=blank)
_session[test1] = test1 (proves the session variables are being kept)
_session[name] = Jim (proves the form input is being accepted then assigned to a session variable ok)
Full name [_________]



#### Test 6 input/output (HTTPS):
Start ..

URL is HTTPS

into test_page_SA.php

Page SA

Page SB

session_id() = eeikccp2m9d0uecqa82glvfsa6u0v3lt (output from server; firebug 'cookie' shows nothing)
not set, so now set SA _session[test1] = test1
Full name {_________}

[Enter the name Jim ..]

The response is ..

URL is HTTPS

into test_page_SB.php

Page SA

Page SB

session_id() = plqm2pnv3eqnl6bign0rr63rhl29n6kb (output from server; firebug 'cookie' shows nothing)
_session[test1] not set (The session variables are not being sent from the server)
Full name {__________}

(Notice that the session_id is different for each cycle in Test 6!)


Top
 Profile  
 
PostPosted: Sun Nov 23, 2014 3:03 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13585
Location: New York, NY, US
I didn't read your whole post, but if you want to maintain your session across multiple domains, you will need to pass your session ID in the URL when switching domains. You should then carefully validate the session and regenerate the session ID.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Sun Nov 23, 2014 6:09 pm 
Offline
Forum Newbie

Joined: Sun Nov 23, 2014 10:26 am
Posts: 15
Christopher, is this true for non-SSL and SSL, or only SSL?


Top
 Profile  
 
PostPosted: Mon Nov 24, 2014 2:57 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13585
Location: New York, NY, US
I think both.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Mon Nov 24, 2014 3:14 pm 
Offline
Forum Newbie

Joined: Sun Nov 23, 2014 10:26 am
Posts: 15
By trial and error I found the answer:

It seems that when SSL is used (test 6), setcookie is required as follows:

setcookie('sessionname', session_id(), time()+whatever, '/', 'theSSLhostaddress', true, true or false);

Also, the htaccess works in test 6.

The non-SSL script (test 1) did not require setcookie!

Hope this helps.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group