Session cookie between http and https with domain and subdomain split up

Question

I changed the panel part of the website to a secure SSL location: “https://panel.domain.com” and configurated this as a separate domain created at a different user on DirectAdmin. This has been done for security reasons and to have the possibility to move the panel in the future to a complete different server.

website http (normal website) user1 on DA.
subdomain https (secure panel) user2 on DA.

The problem that occurs: when somebody has been logged in from http or https and goes to the secure login.php (https) and after logging in goes back to http, you don’t see that you are logged in and the options that come with it, but you see the login form again. I want to show the logged in options, like overview and my information on http with a session cookie.

I tried a lot of things with cookies and so on, but I can’t get it right. If I check the cookies in the browser I see panel.website.com and www.website.com both have different session id’s. This is the latest code I am using.

Login.php HTTPS Page

<?php
// regenerate session id to make session fixation more difficult
session_regenerate_id(true);

// generate random code for the authentication cookie and store it in the session
$authCode = md5(uniqid(mt_rand(), true));
$_SESSION['authentication'] = $authCode;

// create authentication cookie, and restrict it to HTTPS pages
setcookie('authentication', $authCode, 0, '/', '', true, true);
?>

<form method="post" action="https://panel.website.com/login">
<table>
<tr>
<td><input type="text" name="email" /></td>
</tr>
<tr>
<td><input type="password" name="password"  /></td>
</tr>
<tr>
<td><input type="submit" name="login" value="login" /></td>
</tr>
</table>
</form>

Index.php HTTP with login form and links/options after logging in

<?php
// check that the authentication cookie exists, and that
// it contains the same code which is stored in the session.
$pageIsSecure = (!empty($_COOKIE['authentication']))
&& ($_COOKIE['authentication'] === $_SESSION['authentication']);

if (!$pageIsSecure)
{

do not display the page, redirect to login form

<form method="post" action="https://panel.website.com/login">
<table>
<tr>
<td><input type="text" name="email" /></td>
</tr>
<tr>
<td><input type="password" name="password"  /></td>
</tr>
<tr>
<td><input type="submit" name="login" value="login" /></td>
</tr>
</table>
</form>

Else show options after logging in on http

<?php }else{ ?> 

<li><a href=" https://panel.website.com/overview">Overview</a></li>
<li><a href=" https://panel.website.com/my-information">My Information</a></li>

<?php } ?>

Similar questions: http://stackoverflow.com/q/7201493/684229, http://stackoverflow.com/q/108558/684229, http://stackoverflow.com/q/567535/684229, http://stackoverflow.com/q/14315820/684229 — Tomas, Jan 04 '14 at 15:05
Yes, I know and many more topics. Already looked at many and tried those fixes, but can't get it right. — user3160309, Jan 04 '14 at 15:19

Session cookie between http and https with domain and subdomain split up

0 Answers0