I'm developing a website where the client side initially accesses http until they log in. The login is done by the http itself with an ajax request that calls the php script in https and in this script a $ _SESSION with the user data is created. Returning ok from the login.php script, the javascript function redirects the page to the https where the session was created, however, the index.php script does not find the session created. I ran several tests and can only succeed if $ _SESSION is created in a direct request from https and not by ajax. I've set up CORS on the server and it's working perfectly. the javascript from http looks like this:
$.post("https://www.dominio.com/login.php", $(form).serialize(), function (data) {
if ((data.code === PSYS.CONST.STT_OK) && (data.data.https_admin)) {
window.location = data.data.https_admin;
}; // else mensagem de erro
}, 'json');
The login.php script basically does the following:
// ler o dados do usuário no banco de dados e armazena no array result
$result = getDataFromUser($user, $password);
if ($result[code]) {
$_SESSION['Login'] = $result['data'];
}
return json_encode($result);
Then the java script redirects the site to the link that does the following:
if (!session_id()):
session_start();
endif;
if (!isset($_SESSION['Login'])):
// se a sessão não existir
header("location: http://www.domini.com/index.php");
endif;
If in instead of doing the ajax request to the server and the form's action is directly to the https on submit it creates the session normally, but this generates an effect that I do not want on the site, even because it is a site technology, and standardized behaviors will be widely used on the main site (http), and it is very important that he respect what is in http and what is on https. There is no database request in http, all access to the database is done on https. Thank you.