11 January 2011

PHP-FPM & NGINX - losing sessions during HTTPS switch to HTTP

I had the first problem with a different domain (which will be transformed to a subdomain of alwayshere.net soon) hosted on the same VPS. I'm speaking about pictures4.net. The idea was to use the register and login functions via HTTPS then redirect the user to HTTP and keep the session information.

I read a lot of pages how to keep the session between pages, what's the main issue between HTTP and HTTPS, what options you should activate in the php.ini file... well i have to say that lots of this internet pages just SUCKS! Best discussion that i've found is this one.

Bottom line, in order to keep the session between HTTP and HTTPS you need to do nothing!

Still, if your sessions are getting lost after switching your connections, you should check the following (maybe more, but this is what I've did):

- the user under which your web server runs should have the privileges to read the sessions files (this applies if you're using files to keep the session info and not DB... i don't know why, i can't explain it... but this is the issue that i had. After i've set the nginx user to the same user as PHP-FPM session worked for me)
- session_start() should be at the beginning of each PHP page in order to keep the session between pages
- PHP should be able to read/write to the session_path defined in php.ini
- cookie_secure should be disabled (value = 0, default)
- check suhosin.session.cryptdocroot to be switched off

No comments:

Post a Comment