: Session cookie being dropped when moving under the SSL The short version: I've got a session cookie being set on a dev site but it's not being picked up when I move to the SSL (so the shopping

@Angie530

OK - I think I've just solved it, thanks to Dave and Emil; whilst you didn't hit the nail on the head - you did make me look in the right sort of place (and reminded me of Fiddler to debug).

Theoretically, what I was doing should not have broken the cookie but it was, but only sometimes (e.g. it worked fine accessing the online dev server from home but not from the office)...

Basically, PHP's session cookie control session_set_cookie_params() doesn't handle non-zero expiry dates in the way I'd like; if you set the session to expire in 15 minutes, time() + 900 it will expire in 15 minutes from when the cookie is set - it will not update the expiry time. So what I was doing, inside the private constructor of my Session object (it's a Singleton), was:

if($this->cookie_lifetime != 0) {
if(is_null($bUseHTTPCookie)) { setcookie($this->getName(), $this->getID(), (time() + $this->cookie_lifetime), $this->cookie_path, $this->cookie_domain, $this->use_ssl_cookie_only); }
else { setcookie($this->getName(), $this->getID(), (time() + $this->cookie_lifetime), $this->cookie_path, $this->cookie_domain, $this->use_ssl_cookie_only, $this->use_http_cookie_only); }
}


Which is supposed to update the session cookie to extend the time by 15 minutes whenever the page is refreshed; and it was working fine locally and accessing the dev server from home but was not working from my machine at work (it might work one time in about 50).

I suspect it's a latency issue; that somehow on my creaky machine in my creaky office the time taken for session_set_cookie_params() to actually write the cookie may have been long enough for the script to hit the setcookie() that's supposed to update that cookie ... and bad things happened.

I noticed, in Fiddler, that when one page took a long time to load the session cookie wasn't set, which implies that setcookie() was running before the session id was in place and therefore setting an empty string as the value of the cookie... which will, of course, delete the cookie.

Now I've commented out the setcookie() function(s) it seems to be working from the office!

Yes, no need to tell me, I'm an idiot - thank you :)

Vote Up Vote Down

@YK1175434

You are looking under the wrong assumption. When changing from http to https, its treated as a new domain, new server, new everything, so cookies cannot be maintained between ssl and non-ssl connection, despite they are on the same server, same domain.

A solution for this change is using a query string redirect. For example:

You are on http:/www.domain.tld and have a session associated session cookie PHPSESSID=123

In the links for changing server you should add a query string like secure.domain.tld/?key=876 - suppose it is a md5 hash of cookie value.

When user clicks and reaches the https connection you should be able to identify this query string and load the correct session he was using on non-ssl navigation.

This should solve your problem.

Vote Up Vote Down

@Shakeerah822

I will suspect this is something to do with the cookie domain. Try creating a script with a call to the phpinfo() function, and inspect the value of the session.cookie_domain value on both the www and ssl vhosts?

Vote Up Vote Down