php sessions empty using ssl?

Lets say i have a page called

https://url.com/test and https://url.com/test2

class Test extends Application {
    # put global things here
    function __construct() {
        $this->library ( 'sessions' );
        $this->helper ( 'active' );
    }

    function test() {
        $this->sessions->set('login',1);
        echo session_id().'<br/>';
        echo $this->sessions->get('login');
    }
    function test2(){
        if (is_get('d')) {
            $this->sessions->del('login');
        }
                echo session_id().'<br/>';
        echo $this->sessions->get('login');
    }
}

when i use http://url.com/test and http://url.com/test2

it give me something like

page1

326o42a9pblv48c9kb5va1mgorsf35gr39gu0tg8a6umr0rcdrgmasmmtbqvqm0dqa086bn3od07mpc11b65so62c1atrr3cgemaha1
1

page2

326o42a9pblv48c9kb5va1mgorsf35gr39gu0tg8a6umr0rcdrgmasmmtbqvqm0dqa086bn3od07mpc11b65so62c1atrr3cgemaha1
1

but when on https

page1

326o42a9pblv48c9kb5va1mgorsf35gr39gu0tg8a6umr0rcdrgmasmmtbqvqm0dqa086bn3od07mpc11b65so62c1atrr3cgemaha1
1

page2

326o42a9pblv48c9kb5va1mgorsf35gr39gu0tg8a6umr0rcdrgmasmmtbqvqm0dqa086bn3od07mpc11b65so62c1atrr3cgemaha1

the 1 is gone. the problem is i want to share a session from page test to page test2.

edit* here is my sessions class

class Sessions {
    private $config;
    public function set($key, $value) {
        if (isset ( $_SESSION [$key] )) {
            return false;
        }

        if (! isset ( $_SESSION [$key] )) {
            $_SESSION [$key] = $value;
            return true;
        }
    }

    public function get($key) {
        if (! isset ( $_SESSION [$key] )) {
            return false;
        }

        if (isset ( $_SESSION [$key] )) {
            return $_SESSION [$key];
        }
    }

    public function del($key) {
        if (! isset ( $_SESSION [$key] )) {
            return false;
        }
        if (isset ( $_SESSION [$key] )) {
            unset ( $_SESSION [$key] );
            return true;
        }
    }

    public function flush() {
        // do we still need this?
        $_SESSION = array ();
        session_destroy ();
        $this->refresh ();
    }

    public function refresh() {
        session_regenerate_id ( true );
    }

    function __construct() {
        $this->config = config ( 'sessions' );

        # doing some importing things
        ini_set ( 'session.cookie_httponly', $this->config ['cookie_httponly'] );
        ini_set ( 'session.gc_probability', $this->config ['gc_probability'] );
        ini_set ( 'session.gc_divisor', $this->config ['gc_divisor'] );
        ini_set ( 'session.hash_function', $this->config ['hash_function'] );
        ini_set ( 'session.gc_maxlifetime', $this->config ['gc_maxlifetime'] );

        # start the engine
        session_start ();
    }
}

the config

$config['sessions'] = array(
        'gc_probability' => '0',
        'gc_divisor' => '100',
        # 'cookie_domain' => 'www.networks.co.id',
        # http://us2.php.net/manual/en/session.configuration.php
        'cookie_httponly' => FALSE,
        # SHA512
        'hash_function' => 'SHA512',
        'gc_maxlifetime' => '1800'
);

Thanks for looking in

Adam Ramadhan

I have a feeling you might be using PHP with Suhosin patch, isn't it the case?

If so, check this flag in your settings:

suhosin.session.cryptdocroot = On.

This basically tells the server, that the session key depends on document root, which get's changed when you switch http to https.

edit: You should have this set to Off in you php.ini, or in case of using multiple ini files, like in debian, there is probably file like suhosin.ini in conf.d subdirectory, where php.ini resides. Not sure, whether it's possible to change this setting through ini_set()

On unrelated note, are you sure, that you want to set gc_probability to 0? That effectively disables session garbage collection.