Hello, I have been trying to implement HTTPS/SSL into my site.
My web host does provides a free shared SSL for me to use.
The problem I am having is that since it is a free shared SSL service, the secured page will not be under my URL (actually, it will be https://secured.hostmonster.com). Which means my cookies for my site will not carry over /or carry back when I redirect back.
How do I keep the cookie between HTTP and HTTPS ? Is there a quick way to do it with cookie setting or something ?
Cookies can’t be shared between domains so the http and https pages would need to be on thesame domain as a minimum (which would mean having your own dedicated IP address and security certificate for your domain. Even then I am still not sure if sharing between http and https would be allowed but at least then you can just move the http pages to https to get around it.
The [fphp]setcookie[/fphp] function does have an secure argument, which if true means the browser will only send the cookie to the server when viewing an SSL page. It defaults to false though, so by default cookies will be sent on all page requests.
The key is what felgall said though, the cookie won’t be sent to both your domain and the secured.hostmonster domain. You’ll need to do everything on one or the other if you want cookies.
Oh ok, so cookies will not work on both my site and secured.hostmonster.
How about if I get a private SSL certificate ? If both my site and the secure site are on the same domain but differ by http:// and https:// Will the cookies still be shared ?
Yep, http and https are protocols, the domain is the same.
Be aware if you don’t program your site correctly you could negate the benefits of SSL. If you move to http pages and a cookie that has a password or session ID is sent, that could be hijacked, which is no different if the users session was http the whole time.
Once a user is logged in, you should serve all the pages over https to avoid this.
