Page 1 of 1

passing session across URLs

Posted: Thu Aug 21, 2003 4:01 pm
by oraknabo
My company has both MYDOMAIN.com and MYDOMAIN.net applied to an IP where I'm building an app. Only MYDOMAIN.net is secure and I've been able to pass the session ID from http://MYDOMAIN.net to https://MYDOMAIN.net without losing the session, but if someone comes through from http://MYDOMAIN.com and needs to access a secure page, the session is killed and a new one is started.

Is it possible to pass a sessionID from a .com to a .net through either POST or GET? I know that if I set ini_set("session.cookie_domain",".MYDOMAIN.net"); I can use multiple subdomains, but is there a way to allow different hostname extensions?

If possible, I'd also like to be able to share the same session between the IP address and the other extensions. Can anybody set me straight?

Re: passing session across URLs

Posted: Thu Aug 21, 2003 4:54 pm
by Rook
Most likely your Session ID is being set in a cookie so you don't have to pass the ID through the url... So, you should append the Session ID to the query string.

Code: Select all

<?php
echo "<A HREF="www.this.net/index.php?" . strip_tags(SID) . "">link</a>";
?>
That should work...

- Rook.

Posted: Thu Aug 21, 2003 5:34 pm
by oraknabo
I've tried both that and a POST and neither works from .com to .net. Like you say, everything I read makes this look like it should work, but I do a print_r($_SESSION) on the page I'm going to and everything in the session goes to default as soon as I hit the link. The PHP refuses to apply the session to a different URL than the one it was created under.

Posted: Thu Aug 21, 2003 5:50 pm
by Gen-ik
As far as I know you can't pass sessions() across different domains, not even sub-domains, for security reasons.

(hit me with a big stick if I am wrong)

Posted: Thu Aug 21, 2003 11:23 pm
by nielsene
You can hack up some custom code to set two session cookies, one specifiying both domains. (If one were a subdomain, this wouldn't be needed, but as the TLD is different you have to play some funny games.)

Posted: Fri Aug 22, 2003 4:30 am
by JayBird
storing session data in a database would go to great lengths to help you solve your problem. if you wanted to, when you first make the jump to the second domain is when you would grab the session data from the database, then on subsequent page requests the session data would already be set for the second domain and no more DB calls would be needed.