Explanation of the problem
When the data is entered into the login form it is passed to a script handling it on a secure server. The secure server will be using a different session from the one connected with the login page because the session cookie is associated with a specific server. Therefore when you change a session variable to reflect that the user has logged in successfully you will find that this has only changed the variable for the session on the secure server. When you return to the insecure part of the site you will be returning to the original session, so you won’t be able to see any changes made to reflect the success of the login.
In order to update the session variables to reflect the success of the login and for them to be seen by the insecure session we need to pass the insecure session ID to the secure session.
In the login page you need the following PHP to record the session ID.
Then you need to pass this session ID to the PHP script handling the form on the secure server. You will need to ask your hosting company for the url of the secure server and replace it in the code below. The code snippet also checks which server is being accessed. This is so that you can test the rest of the functionality without using SSL certificates.
The next piece of PHP code is located near the beginning of
login.handler.php, which handles the form above. It again tests to see if this is being run on a test server without a shared SSL certificate. The code sets the current session ID to that of the insecure session. This does not make the passing of the details from the form insecure, it just means that we can access the insecure session’s variables.
$_SERVER[DOCUMENT_ROOT] variables are set so that if we need to
include a file, or if we need to use
header, the correct location will be referred to.
Once the script has determined if it is a successful login, the appropriate session variables can be set and we can then return to the insecure server using the
To increase the security of this method you could also check that the referrer is as you expect using
$_SERVER[HTTP_REFERER]. This is not foolproof as it can be faked, but it is useful to reduce the likelihood of low-level attacks.