Jump to content
Larry Ullman's Book Forums

Session Config With Https Pages


Jonathon
 Share

Recommended Posts

Hi Larry,

 

I have some pages that are served over HTTPS, would I need to alter my config settings for sessions at all would you think?

 

I thought of doing this? But I wasn't actually sure

'session' =>array(
'cookieParams' => array(
'secure'=>true,
),

On a related note, I saw this post http://stackoverflow.com/questions/441496/session-lost-when-switching-from-http-to-https-in-php and I believe that it might be the reason some of my flash messages don't work when I'm switching between HTTPS and HTTP pages. What would you advise in order to stop this? Do I need to set the sessionName explicitly in the config file?

 

 

Jonathon

Link to comment
Share on other sites

I don't think you need to change your configuration at all, because I believe a cookie sent over HTTP is also sent over HTTPS, assuming the domain is unchanged and the secure flag is not set. But as you can see in that thread, there's a lot of confusion and debate over what works and what doesn't.

 

What's most reliable is to use SSL exclusively for all pages that make use of session data.This is becoming more and more common.

Link to comment
Share on other sites

I was thinking about this, maybe I should just go for all SSL pages. My flash messages worked fine before I put a couple of HTTPS pages in. I'm also having the issue with urlRefferer from HTTPS to HTTP, in the fact that it returns NULL if accessed from a HTTPS page. I have had a look about to see why I might be losing the data from urlRefferer or the flash messages. But I couldn't work it out.

Link to comment
Share on other sites

Ok thanks Larry. I might look at going down this route. I know that it used to have a fairly large performance hindrance. But now, I see many sites using it exclusively. I'm guessing that you wouldn't have any idea of the top of your head as to why I am losing my urlRefferer and Flash messages when a HTTPS page redirects to a HTTP one. I can work around this either way so it's no trouble. But out of interest.

Link to comment
Share on other sites

I'm not positive, Jonathon, but I imagine the values are stored in a session (urlRefferrer and Flash) associated with a cookie that's not maintaining from HTTP to HTTPS and vice versa. Are you maintaining the same domains and paths when going from HTTP to HTTPS, only changing the protocol?

Link to comment
Share on other sites

 Share

×
×
  • Create New...