2
I’m developing a site where the client side initially accesses http until they log in. The login is done from http itself with an ajax request that calls the php script in https and in this script a $_SESSION is created with the user data. Returning ok from the login.php script, the javascript function redirects the page to https where the session was created, but the index.php script does not find the session created. I have done several tests and I can only succeed if $_SESSION is created in a direct https request and not by ajax. I set up the CORS on the server and it’s working perfectly. http javascript is like this:
$.post("https://www.dominio.com/login.php", $(form).serialize(), function (data) {
    if ((data.code === PSYS.CONST.STT_OK) && (data.data.https_admin)) {
        window.location = data.data.https_admin;
    }; // else mensagem de erro
}, 'json');
The login.php script basically does the following::
// ler o dados do usuário no banco de dados e armazena no array result
$result = getDataFromUser($user, $password);
if ($result[code]) {
   $_SESSION['Login'] = $result['data'];
}
return json_encode($result);
Then the java script redirects the site to the https://www.dominio.com/index.php which does the following:
if (!session_id()):
    session_start();
endif;
if (!isset($_SESSION['Login'])):
    // se a sessão não existir
    header("location: http://www.domini.com/index.php");
endif;
If instead of making the ajax request to the server and the form action goes directly to https in Submit it creates the session normally, but this generates an effect that I do not want on the site, even because it is a technology site, and, standardized behaviors will be widely used on the main site (http), and it is very important that it respects what is on http and what is on https. There is no database request at http, all database access is done at https. Thank you.