开发者

Login PHP session after switch to SSL

问答 作者:

I decided to invest a few hours in trying to secure my site with SSL. Got the server running alright but have hit a wall with my PHP $_SESSION. I understand the issue of passing session ids between HTTP and HTTPS, but that's not happening here (I think). The convoluted session sequence goes something like this:

login.html:

<form action="https://www.mydomain.com/login.php">

login.php:

if login details correct {
   session_set_cookie_params(3600,'/','mydomain.com',true);
   session_start();
   $_SESSION['...
   session_commmit

At this point, login.js (which manages the dialog AJAX-style) will redirect to http://www.mydomain.com/desktop.html. The JS code backing the HTML then fires

$.ajax({ url: "https://www.mydomain.com/lib/mySQL/mySQL.php", ... });
开发者_如何学JAVA

mySQL.php:

if (!isset($_COOKIE['PHPSESSID'])) {
   throw wobbly

Before I switched to HTTPS, this sequence was working just fine across all browsers; with HTTPS it throws a wobbly across all browsers :( I can confirm (from looking at the Cookie data) that Firefox records a cookie like so:

mydomain.com
Name: PHPSESSID
Content: gobbledygook
Domain: .mydomain.com
Path: /
Send For: Encrypyed connections only.
Expires:  in 1hr.

Everything appears as per the book. Do you have any suggestions as to what's going on?

Thanks.

PS: I did not use session_set_cookie_params before I stumbled upon a post on SO in researching this problem, suggesting that I should. That is, before I set secure=true Firefox would "Send For" any connections, and that did not work either.

EDIT: I observe another detail. I expect that on the Net panel in Firebug my AJAX requests show up as "POST https://www.mydomain.com/lib/mySQL/mySQL.php" and I will be able to select the POST rider and see what went across. I don't get this for the failed request. Weirdly, Firebug display "OPTIONS https://www.mydomain.com/lib/mySQL/mySQL.php" in red and no POST rider.

That OPTIONS header is sent as a check if Cross Site HTTP Requests are allowed.

https and http are distinct sites, and is subject to the Same Origin Policy. The link above explains everything.

And another article about cross-site XMLHTTPRequest (Google cache)

Ok, Lekensteyn has steered me in the right direction, although his references are more fatalistic - from a client-side programmer's perspective - than need be: in the AJAX world the answer to this particular conundrum goes by the acronym of JSONP. And should you find yourself in the same pickle, then here is the trivial jQuery solution:

In your $.ajax call:-

(1)  Set "dataType" to "jsonp"
(2)  Set "type" to "GET".  (The rest of my app is defaulted to POST.  The jQuery code  suggests that POST is supported.  But when I try POST, I get another "Permission denied" from Firefox' OPTIONS header.)
(3)  Where my PHP script would formerly reply

        echo json_encode($data);

     it must now go

        echo $_REQUEST['callback'].'('.json_encode($data).')'

     which effectively formats a function call with $data being the one and only parameter to the function.
(4)  Set "url" to "https://www.mydomain.com/lib/mySQL/mySQL.php"

Works a treat. The GET format's a bit ugly but hey-hoh. I have left my PHPSESSID cookie at "secure=true" so it should only travel across encrypted hand-shakes.

PS: Apols for the awful formatting. One day I am sure to figure out how to format my posts better on this forum.

继续阅读:httpsjavascriptphpssl

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9