2

I think I read and tried all relevant topics about "sessions, cross-domain and ssl" here on stackoverflow . Unfortunately nothing works.

My case:

loginForm.html (non-SSL) -> authUser.php (SSL) -> showAccount.php (non-SSL)

The problem is, that these files are placed on different subdomains and served by SSL or non-SSL.

loginForm.html -> http://dev.domain.com
authUser.php -> https://ssl.domain.com
showAccount.php -> http://dev.domain.com

If the user credentials are correct, the authUser.php should create the session which is used by showAccount.php.

As already mentioned, I tried all posted solutions. For reference let's take a look at this: Session lost when switching from HTTP to HTTPS in PHP .
I also tried to extend this snippet with session_set_cookie_params as mentioned in PHP Sessions across sub domains but this neither works.
I also tried ini_set('session.cookie_domain', '.domain.com');

Edit: As in the answers requested, here is the used code (which was originally posted by Jacob here: Session lost when switching from HTTP to HTTPS in PHP)

https://ssl.domain.com/user/authUser.php

<?php

// auth with database was successful, so create the session

session_set_cookie_params(0, '/', '.domain.com'); 
session_start();

$currentSessionID = session_id();
$_SESSION['testvariable'] = 'It worked';
$InsecureServerDomain = 'dev.domain.com';
$pagePath = '/showAccount.php';

echo '<a href="http://' . $InsecureServerDomain . $pagePath . '?session=' . $currentSessionID . '">Transfer Cookie from secure to insecure </a>';

?>

http://dev.domain.com/showAccount.php

<?php

$currentSessionID = filter_input(GET, "session");
session_set_cookie_params(0, '/', '.domain.com'); 

session_id($currentSessionID);

session_start();

if (!empty($_SESSION['testvariable'])) {
      echo $_SESSION['testvariable'];
} else {
      echo 'It did not work.';
}

?>

The $_SESSION is always empty.

Are there any hints?

Community
  • 1
  • 1
Andrew
  • 387
  • 2
  • 4
  • 10

2 Answers2

1

There's no point in securing just your login/authorization. An attacker who's looking at network traffic can steal the login cookie / session token you pass to the server on every request, and then login as that user. Sure, the password will be safe, but it doesn't actually protect your user's session from being hijacked by a man-in-the-middle attack, say, on an unsecure WiFi network.

See Firesheep for an example of how this works.

Perception
  • 79,279
  • 19
  • 185
  • 195
Julia McGuigan
  • 624
  • 1
  • 7
  • 16
  • Thanks for you answer, Jordan McGuigan. I don't have the ressources to transfer all the data by SSL. So I decided to implement this compromise of security/ressources. I just added some code, what would you improve? – Andrew Apr 24 '12 at 10:10
  • 1
    Your filter is wrong. See the docs: php.net/manual/en/function.filter-input.php You also must specify a filter php.net/manual/en/filter.filters.php You probably want to use INPUT_GET. You probably also want to encrypt or hash the session ID in some way. I would strongly suggest building your own token. That way not only can you pass it between HTTPS/HTTP, but you could pass it to say, Node.JS as well, and send push notifications... – Julia McGuigan Apr 24 '12 at 12:59
  • Thanks Jordan - you're right, I had an error at my filter_input(). This is fixed now, the cookie and the session are set correct (seen in the session save path), but `showAccount.php`still can't read the session. I'm with you with building my own token for security issues, but it should work in this basic way before. Do you have any more hints? – Andrew Apr 24 '12 at 13:19
  • Not sure, everything looks right to me, but I can't test it not having a server (or dev enviornment) that supports SSL. – Julia McGuigan Apr 24 '12 at 13:32
0

As always it would be helpful to see some code. Maybe the sections where you store your session and how you are using cookies/databases. Here is an awesome tutorial on how to do cross-domain authorization, give this guy some more upvotes!

Community
  • 1
  • 1
buster
  • 1,038
  • 7
  • 16