On a Ubuntu 12.04, Apache2, PHP5 server, suhosin extension is installed. (phpinfo page)
This is a dedicated server with the latest security updates through automatic updates.
I have created the following test script (test script without setting suhosin conf)
session_start();
$error = 0;
ob_implicit_flush(true);
if ($_GET['is'] == 'set'){
session_set_cookie_params ( '3600','/','.theparentingplace.com',false, false );
error_log( "Old 'suhosin.session.encrypt': " . print_r( ini_set('suhosin.session.encrypt', 0), true) );
error_log( "Old 'suhosin.session.cryptdocroot': " . print_r( ini_set('suhosin.session.cryptdocroot', 0), true) );
error_log( "Old 'suhosin.cookie.cryptdocroot.': " . print_r( ini_set('suhosin.cookie.cryptdocroot', 0), true) );
}
if (empty($_SERVER['HTTPS']) && !$error){
$_SESSION['test'] = 'abc';
header('Location: https://'.$_SERVER['SERVER_NAME']
.'/http_https_session_test.php');
}else{
if ($_SESSION['test'] == 'abc'){
print "Success." . $_SESSION['test'];
}else{
print "Fail.". print_r($_SESSION['test'],1);
}
}
The error log shows:
[Sat Oct 26 20:00:23 2013] [error] [client 103.29.31.35] Old 'suhosin.session.encrypt':
[Sat Oct 26 20:00:23 2013] [error] [client 103.29.31.35] Old 'suhosin.session.cryptdocroot':
[Sat Oct 26 20:00:23 2013] [error] [client 103.29.31.35] Old 'suhosin.cookie.cryptdocroot.'
Other SO posts suggest to check session.cookie_secure and session.http_only parameters. Both are off on this server. Further, I tried to implement turning off specific suhosin settings, or to turn off suhosin altogether with suhosin.simulation=On I tried this both in php.ini
This script returns fail. If the script is run with the is=set parameter, it fails to set the parameters (test script 2)
On another dedicated server the test script work fine, ie. the https url picks up the session variable, however this server is Ubuntu 10.04.
Any idea what to do next?
I broke this myself recently when I merged the HTTP and HTTPS VirtualHost file into one and changed the apache server to MPM-ITK for security reasons.
In the merged VirtualHost file
<VirtualHost 120.138.18.91:80>
ServerName www.theparentingplace.com
DocumentRoot /var/www/www.theparentingplace.com/joomla
CustomLog /var/log/apache2/www.theparentingplace.com-access.log combined
ErrorLog /var/log/apache2/www.theparentingplace.com-error.log
<IfModule mpm_itk_module>
AssignUserId www-theparentingplace www-theparentingplace
</IfModule>
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*=(ht)|(f)+(tp)+(://|s://)+.*(\?\?)+
RewriteRule .* http://gggooooooglleee.com/ [R,L]
<FilesMatch "images/\.(asp|php|php5|pl)$">
Deny from all
</FilesMatch>
</VirtualHost>
<VirtualHost 120.138.18.91:443>
ServerName www.theparentingplace.com
DocumentRoot /var/www/www.theparentingplace.com/joomla
CustomLog /var/log/apache2/www.theparentingplace.com-ssl-access.log combined
ErrorLog /var/log/apache2/www.theparentingplace.com-ssl-error.log
<IfModule mpm_itk_module>
AssignUserId www-theparentingplace www-theparentingplace
</IfModule>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/www.theparentingplace.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key
SSLCertificateChainFile /etc/apache2/ssl/www.theparentingplace.com.ca.crt
BrowserMatch ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
RewriteEngine On
RewriteCond %{QUERY_STRING} ^.*=(ht)|(f)+(tp)+(://|s://)+.*(\?\?)+
RewriteRule .* http://gggooooooglleee.com/ [R,L]
<FilesMatch "images/\.(asp|php|php5|pl)$">
Deny from all
</FilesMatch>
</VirtualHost>
I had forgotten to add the
<IfModule mpm_itk_module>
AssignUserId www-theparentingplace www-theparentingplace
</IfModule>
block to the secure site section, hence the https site was not able to read the session files.
Thanks to Brian North who got me onto the idea of checking if I can force the session_id for https (I was not able to with the wrong configuration)