2

Certain hosting providers (like HostGator) provide shared SSL certificates for accounts. What this means is that my HTTPS link is a different domain from my HTTP.

ie: the urls are something like http://www.mydomain.com and https://secure123.hostgator.com/~bill/

I'm trying to log the user in on the secure domain, set session variables and then redirect to the home page. However, when doing this, the session variables are lost.

Insecure Index.php:

<?php session_start(); 
echo $_SESSION['name'];
?>
<html><body>
<p><a href="https://secure123.hostgator.com/~bill/login.php">Login</a></p>
</body></html>

Secure Login.php:

<?php session_start(); 
$_SESSION['name'] = "Bill";
header("location: http://www.mydomain.com/index.php")
?>

How can I ensure the session variables are able to be read by all files on both http and https?

CMH
  • 738
  • 1
  • 11
  • 23
  • 1
    Possible duplicate of http://stackoverflow.com/questions/441496/session-lost-when-switching-from-http-to-https-in-php?rq=1 Guy has explained very well how to manage session between HTTP and HTTPS – Jack Daniel's Jul 03 '13 at 00:07
  • providing the id via GET results in messy URLs that I'm trying to stay away from - for SEO and bookmarking, etc. Is there another way? Like using POST or something else? – CMH Jul 03 '13 at 03:11
  • If you go through the link which i provided you can come to know different solutions... you can use cookies, post, implement cache layer... Checkout the all the answers and implement the best one which fits into your requirement :) – Jack Daniel's Jul 03 '13 at 04:44

1 Answers1

2

You can provide your session id via GET.

header("location: http://www.mydomain.com/index.php?PHPSESSID=".session_id());

On another side you can turnon session.use_trans_sid

Or set session id with function session_id()

Manual: Passing the Session ID

sectus
  • 15,605
  • 5
  • 55
  • 97
  • providing the id via GET results in messy URLs that I'm trying to stay away from - for SEO and bookmarking, etc. Is there another way? Like using POST or something else? – CMH Jul 03 '13 at 03:10
  • Are you sure that Search engines will try to login? – sectus Jul 03 '13 at 04:17
  • Also, you could use post. After login show to user autosubmit(onload -> submit) form from https to http. – sectus Jul 03 '13 at 04:18