I manage a website(single page application) with custom session code managed by a team to which i do not have access. The application is custom built using appweb and is not like any other publicly hosted web sites. This app has been served both in http and https. In that after logging in http if the user logs into https the secure attribute is not set despite the following code.
$https = $_SERVER['SERVER_PROTOCOL'] == 'https' ? 1 : 0;
ini_set("session.cookie_secure", $https);
//or
session_set_cookie_params(0, '/', null, $https, 1);
So, i overwrote the session cookie like in the following with the above code. It worked.
$sessname = session_name();
setcookie($sessname, $_COOKIE[$sessname], 0, '/', null, $https, 1);
The anomaly is when opening both http and https in two tabs which causes either of the session invalid cause of custom code. Though it is a negative scenario this may cause confusion to the user if he do like the above.
I know there are other options to circumvent this and i had been using those like redirect. Yet i wanted to check whether my alternate holds good.
Now what i had been thinking as an alternate is the following.
$https = $_SERVER['SERVER_PROTOCOL'] == 'https' ? 1 : 0;
$sessname = session_name();
$domain = $_SERVER['SERVER_PROTOCOL'].'.'.$_SERVER['REMOTE_ADDR'];
setcookie($sessname, $_COOKIE[$sessname], 0, '/', $domain, $https, 1);
Here i have set a different domain name for http and https for the same session id. when logged in http the php session id will have domain as http.10.10.10.1 and when logged in https the php session id will have the domain set to https.10.10.10.1. It is working.
Is it a right way. Will there be any side effects?
