I decided to invest a few hours in trying to secure my site with SSL. Got the server running alright but have hit a wall with my PHP $_SESSION. I understand the issue of passing session ids between HTTP and HTTPS, but that's not happening here (I think). The convoluted session sequence goes something like this:
login.html:
<form action="https://www.mydomain.com/login.php">
login.php:
if login details correct {
session_set_cookie_params(3600,'/','mydomain.com',true);
session_start();
$_SESSION['...
session_commmit
At this point, login.js (which manages the dialog AJAX-style) will redirect to http://www.mydomain.com/desktop.html. The JS code backing the HTML then fires
$.ajax({ url: "https://www.mydomain.com/lib/mySQL/mySQL.php", ... });
mySQL.php:
if (!isset($_COOKIE['PHPSESSID'])) {
throw wobbly
Before I switched to HTTPS, this sequence was working just fine across all browsers; with HTTPS it throws a wobbly across all browsers :( I can confirm (from looking at the Cookie data) that Firefox records a cookie like so:
mydomain.com
Name: PHPSESSID
Content: gobbledygook
Domain: .mydomain.com
Path: /
Send For: Encrypyed connections only.
Expires: in 1hr.
Everything appears as per the book. Do you have any suggestions as to what's going on?
Thanks.
PS: I did not use session_set_cookie_params before I stumbled upon a post on SO in researching this problem, suggesting that I should. That is, before I set secure=true Firefox would "Send For" any connections, and that did not work either.
EDIT: I observe another detail. I expect that on the Net panel in Firebug my AJAX requests show up as "POST https://www.mydomain.com/lib/mySQL/mySQL.php" and I will be able to select the POST rider and see what went across. I don't get this for the failed request. Weirdly, Firebug display "OPTIONS https://www.mydomain.com/lib/mySQL/mySQL.php" in red and no POST rider.