Vincent Veyron wrote:
...
, of which only one is HTTPS, you could run it all in
one single Apache instance. It is no problem to run a single VirtualHost as a HTTPS host
on its own port 443, and other multiple HTTP VirtualHost's on port 80.
The problem is only when you want to run several HTTPS hosts.
This sounds like what I'm doing now? You do need two httpd processes,
one that listens on port 80, the other on port 443.
No you don't. If in one Apache you say
Listen 80
Listen 443
and it will listen to both ports.
And then you can say
NameVirtualHost *:80
<VirtualHost *:80>
ServerName A
..
</VirtualHost>
<VirtualHost *:80>
ServerName B
..
</VirtualHost>
...
NameVirtualHost *:443
<VirtualHost *:443>
ServerName C
..
</VirtualHost>
(but only once, for HTTPS; the reason for that is longer to explain).
...
Sorry, really analysing the code is a bit beyond my commitment. I am just trying to give
you ideas of what to look for.
And to discourage you from looking in the wrong direction, because the idea that 2 Apache
processes could be mixing their data sounds really far-fetched to me.
Maybe one thing you could do, since these are two servers with a separate configuration,
is at least to change the name of the cookie in one of them (for example, name it
"secure-session" in the secure server). That would make them 2 separate cookies, and
maybe avoid the confusion (or show the problem right away, by popping up a login page as
soon as they click the "bad" link).
Even supposing a bad link exists, the browser always sends the same cookie,
regardless of whether it's using http or https.
Yes, and that is what I mean. Whether users stray through the secure or non-secure site,
there is only ever one cookie. And if it is not marked secure, the browser will send that
same cookie, no matter which site the users link to. And the server receiving the cookie,
at least in the authentication part of the code, will not see the diference, and will let
them in as long as for the session referenced in the cookie, there is a valid record in
the database. So IF users would go from one server to the other, you would probably never
know, because they will not be stopped from doing that.
And that could certainly be a good reason why some users see demo data some time, instead
of theirs.
I am not saying that it /is/ the problem. What I am saying is that if you had a different
cookie name for each site (which should be easy to do), then for sure the above could not
happen, and you could eliminate one area from your search.
Be humble. On one side, there is Apache code, which is extensively tested and running on
hundreds of thousands of sites. On the other side, there is your code, which runs on just
a few sites. If there is a problem somewhere, where is it most likely to be ?
