Maintain PHP session between https and http pages

Question

On my secure site (https), I set a PHP $_SESSION variable. I then use header("location: http://...page.php") to send the user to a php page on my http site, which is on the same server. The session variable is lost, because of the http:// URL (I assume) in the header statement. I can't get the header("location: ...") to work without using the full URL. Thus I tried the following tip from stackoverflow - php session lost when switching, which several other posts reference, but I ended up with numerous error_log warning entries and once I clicked to another page that required $_SESSION['loginUser'], the session was gone.

PHP Warning: session_start(): The session id is too long or contains illegal characters

Sample session ID passed: dlouenopfi3edoep3dlvne8bn1

Code that creates the session on https php page (note for this post header location is not real)

session_start();
$currentSessionID = session_id();
$_SESSION['loginUser'] = $username; 

header("location: http://www.test.com/path/to/page/off-campus/cat_index.php?session=$currentSessionID");

Code that receives the session on http php pages

// Retrieve the session ID as passed via the GET method.
$currentSessionID = $_GET['session'];
echo "sid: " . $currentSessionID;//a session id like above is displayed

// Set a cookie for the session ID.
session_id($currentSessionID);

session_start();

if(isset($_SESSION['loginUser'])){
  $username = $_SESSION['loginUser'];
  echo "Welcome: $username<br />";
 } else {
    require_once($_SERVER["DOCUMENT_ROOT"] . "/_includes/CASwrap.php");
}

I've exhausted my searching. Any help will be appreciated. Thanks.

Can't you just copy the file from your HTTP server to your https? — Rotimi, Mar 25 '17 at 08:10
just to be sure you actually mean same host ? not different subdomain ? — georoot, Mar 25 '17 at 08:34
Just think about this for a second... A user comes onto an HTTPS site - they enter some credentials and info - which can potentially be stored in a session - the site then redirects the user over to HTTP where the connection between host and client is no longer secure - that can't happen. Your whole site should either be on http or https - y'all can't go mixing and matching and expecting the server to happily float data between secure and non-secure locations — Trent, Mar 25 '17 at 09:03
The page in question is an include that is used in many pages. I tried moving it over but that made a bigger tangle to solve. Both sites are on the same host/server, but I figure by definition they are both subdomains of the main campus domain. This is an intermediate step until a plan is in place to move the entire site. — , Mar 25 '17 at 16:57

score 0 · Answer 1 · answered Mar 27 '17 at 20:12

I solved my two questions.

To prevent the numerous error_log warning entries all I needed was an "exit" statement after the "header" statement.

To maintain the current session, I used an if statement to test for a current session id stored in the variable $currentSessionID. If yes then set the session_id with the value of $currentSessionID. If no, then don't set the session_id with the $currentSessionID variable, since it has no value.

Maintain PHP session between https and http pages

1 Answers1