Page 1 of 1

Session variables with SSL

Posted: Tue Dec 14, 2004 11:06 am
by DudeBori82
When the customer is ready to check out. They click checkout and it sends them to a page (secured by a shared security SSL) for them to enter in the payment information, etc. The problem is that when I use the shared security access url, I loose all the info that was stored in the previously created session array (the shopping cart). Then when they go to check out, everything in their cart dissapears. Any suggestions?

Posted: Tue Dec 14, 2004 11:24 am
by patrikG
The session cookie isn't valid for your domain anymore, because most likely your SSL certificate is not issued for your site, but shared. For a long explanation see http://www.modwest.com/help/kb5-264.html

Posted: Tue Dec 14, 2004 12:12 pm
by DudeBori82
yup, that's what's happening. I guess I could pass them tediously using the POST method to the SSL page and then re-insert them to a new session array on the SSL page.

Posted: Tue Dec 14, 2004 2:59 pm
by DudeBori82
Ok, here's a question. If I cannot use the same session array when moving to an SSL page, I will have to pass this session array through POST. How should I go about doing it? Here's an idea, tell me if you have anything better

Page 1:

Code: Select all

<?php
while ($i <= sizeof($_SESSION['cart'])){?>
      <input type="hidden" name="Product_ID<? echo $i; ?>" value="<? echo $_SESSION["cart"][$i]['Product_ID']; ?>">
      $i++;
}
<input type="hidden" name="items" value="<? echo ($i - 1); ?>">
?>
Page 2:

Code: Select all

<?php
while ($i <= $_POST['items']) {
      $_SESSION["cart"][$i]['Product_ID'] = $_POST['Product_ID$i'];
      $i++;
}

?>
I am attempting to dynamically create variables. I am not sure if this will work. If there's a better way, please tell me.

Posted: Tue Dec 14, 2004 3:14 pm
by patrikG
Personally, I haven't tried this, but I would check which website issues the SSL, then read out your domain's session-cookie, then set an identical cookie with the domain-name of the SSL issuer.

Posted: Tue Dec 14, 2004 3:19 pm
by DudeBori82
What do you mean by "read out"?

Posted: Tue Dec 14, 2004 3:40 pm
by patrikG
basically, make a copy of the values in the session cookie (session id etc.).

Posted: Tue Dec 14, 2004 3:46 pm
by rehfeld
you might also look at serialize()

serialize all your variables, pass the result in a hidden field, then unserialize on the ssl page

watch out for magic_quotes, you might need to do a stripslashes when receiving the data


but if its on the same server, maybe you could just pass the SID through the url or a hidden form field.

Posted: Tue Dec 14, 2004 4:07 pm
by DudeBori82
what is the "SID"? Do you mean session ID?

Posted: Tue Dec 14, 2004 5:01 pm
by DrHoliday
Maybe it's easier to just pass the session ID (retrieved by session_id()) to the first https site, and then set it for the new domain with the same function. But i don't know if this works, just a thought.

Wolfgang