Switch between HTTP and HTTPS looses PHP-session
Thursday, 08 April 2010One weird problem popped up with our own Yireo website: We had already created a simple free SSL Redirect plugin, which allows you to define which Joomla! pages need to be accessed through HTTPS and which not. But suddenly user sessions were dropped when switching from HTTP to HTTPS and vice versa. Damn, it was Suhosin.
SSL Redirect Plugin
Our SSL Redirect Plugin allows you to configure which pages should serve through HTTPS (by choosing the right Joomla! Menu-Items). The plugin then automatically redirects to HTTPS when it is needed, but also back to HTTP when HTTPS is not needed. Very simple functionality, but much needed.
Using HTTPS is a something mandatory if you're selling products or dealing with sensitive information. But if your Joomla! pages are also filled with little widgets from Google or Twitter, these are offered for HTTP only. Your visitors will be confronted with a Mixed Content warning. The SSL Redirect plugin gives you a bit more flexibility to solve this problem.
Whoops, loosing my session
Now, in a normal environment switching from HTTP to HTTPS should be harmless, as long as the hostname is not changed. So if you're changing from http://www.example.com/ to https://www.example.com/, all cookies should still be working fine. But if you're changing the domain from http://www.example.com/ to https://secure.example.com/ then the browser prevents you by default from re-using the same cookie, unless the cookie domain is set to the full domain.
Anyway, if you don't switch the domainname then all cookies are valid, so if you're logged in through HTTP, your session will still be valid for HTTPS, and vice versa. I started shouting out loud when this didn't work. Of course I started blaming our SSL Redirect plugin first, but I discovered after a while that we had a major server-related problem: When switching from SSL to non-SSL (or backwards) the cookies became invalid - with a lot of strange problems as result.
Blame it on Suhosin
Now our PHP-servers are patched using Suhosin, which offers both a patch as well as a module to make things more secure within PHP-environments. I really recommend everyone to use Suhosin but it's also a very good idea that once you start using Suhosin, you also take your time to read through the Suhosin manual.
On our server we configured the following setting:
suhosin.session.encrypt = On
But somehow this encrypts the session so it can only be opened under the same circumstances, which basically means from the same URL. But when changing to SSL (or backwards) the URL changes so the session gets locked. The only way we found to solve this was to disable this feature (which is actually the default Suhosin setting):
suhosin.session.encrypt = Off
Glad to know that our problem was not with the SSL Redirect plugin, but just with our eagerness to tighten security a bit too much.