Posted by Erwin Moller on 11/03/06 10:40

Tom wrote:

> I have a function that restricts access to a page to logged in users.
> When a user who isn't logged in goes to the page, it will dynamically
> generate a login form.
>
> I'm trying to use it in conjunction with the free shared SSL
> certificate offered by my host. To use SSL, you would change a URL
> like this
>
> http://mydomain.com/page.php
>
> to
>
> https://ssl.myhost.com/mydomain.com/page.php
>
> My problem: when my script dynamically generates the login form, it
> uses the $_SERVER['PHP_SELF'] value in the action field. But this ends
> up being '/page.php' rather than '/mydomain.com/page.php' so my form
> gets submitted to
>
> https://ssl.myhost.com/page.php
>
> instead of
>
> https://ssl.myhost.com/mydomain.com/page.php
>
> Simple I thought, I'll just use the SERVER or ENV variable that gives
> me the full url. My problem: it doesn't seem to exist!
>
> Anyone have any suggestions? Anyone else confront and solve this
> issue?
>
> Thanks,
> Tom

Hi Tom,

Why not hardcode the url instead of using PHP_SELF?

Also, pay attention to possible sessionloss.
The cookie that contains the PHPSESSID will only be send to the domain that
set it. (Possibly it will also not be send by change of protocol
http->https, I am not sure about that)

So if you create a session in www.myhost.com, it is NOT accessable by
ssl.myhost.com.

Regards,
Erwin Moller

[Back to original message]