updating a session var from a host name

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

updating a session var from a host name

Post by Burrito »

Ok, here's the scenario:

I have some users that have session vars set. They then move to a different host on the same machine (secure.mydomain.com vs http://www.mydomain.com) so they can do some stuff in a secure environment. After they've done their stuff I need to send them back to the www host and I need to update one of the session vars that is set based on the stuff they've done in secure.mydom... One of the session vars is displayed on every page on the http://www.mydom...

I've thought of a few different options to handle this. One would be to query the db on every page to check if I need to reset my session var...but I want to avoid this if possible because of processor time. Another option I've thought of (which I'm currently doing) is to put a button on the secure.mydom... page that says "you must click here to update your account" which sends them to an intermediate page which queries the db and updates their session var (if necessary). This works great, but it's lame...very focking lame indeed.

another option I thought about and tried, to no avail was to check the referring url and if it is from secure.mydom... then do the query and update if necessary. The reason this didn't work is because the http_referer wasn't being set when they came from secure.mydom.... (is this because it's from an HTTPS://??? In any case, it didn't work.

The last option which has two parts was this. Part one: Just make all of the links on that page go to the intermediate page (with something like <a href="www.mydom..../intermediate.php?page=htt ... p">here</a> and then run my query from there (don't force them to click a button) This would be good except that I'd have to change over 200 links with all of my js dropdown menus (burrito = lazy = don't wanna do this). Part two: could I just set some kind of php var on that page that automatically sent them to the intermediate page and not have to manually hard code all of the links with the intermediate page in the links? In other words just set something at the top of page like: $link = http://www.mydom.../intermediate.php?page=; and then append the links to that (w/o hard coding them all in)?

Is there another way to handle session vars across hosts that I don't knwo about?

Can anyone thign of another solution that would work for me here?

thx in advance for your time.

Burr
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

being able to manipulate session vars across subdomains is quite simple: set the domain value in the cookie to the whole domain, not the subdomain. i.e. domain.com vs. http://www.domain.com

The problem comes when you switch between secure and unsecure, because the sessions set with those are different... although it is possible to set them the same, the user will probably get a warning that mixed security content is on the page.

You can avoid it a bit by setting a flag in the database when you point them to the secure side.. or specifying something in the linkage back to the unsecure areas from the secure side, if possible.

As final option can be to have the content on either side available through https and http alike. You can then give them the choice of which to use.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

feyd wrote: or specifying something in the linkage back to the unsecure areas from the secure side, if possible.
yes this is what I'd like to do, but is there a way to "globally" set the links on the page and force them to go to a specified page w/o hard coding them all in?
feyd wrote: As final option can be to have the content on either side available through https and http alike. You can then give them the choice of which to use.
Can't do this because some of the stuff involves credit cards, and I don't want to send them directly to the secure page and then use relative links from there as I already have some session vars set from the unsecure area...the warning they would receive (this page contains secure and unsecure do you want....) is an absolute no.

so can I somehow change the all of the links w/o actually changing all of the links 8O ?

thx,

Burr
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it's possible to use output buffering in this instance to capture the finalized html, and use regular expressions to replace all the necessary links with a single reentry point..
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

except that the majority of the links are in a .js file for my menus.

I guess I could just put the js on the page itself and then do a regexp to replace everything....was hoping for somethign easier though.

seems like I've seen some basic HTML stuff in the body tag one time that invovled some linking options that might have linked everything from that page to whatever page I wanted...but perhaps not.

I'll keep stirring this pot and see what I can come up with.

Burr
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

oh and one more thing...


/me touches feyd's moustache
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

there is the HTML <base> tag, but that would just tell the browse where to start all relative url's on the page...
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

well could I use that and do something like:

no clue on syntax of base tag so forgive this bastardized rendition:
<base = http://www.mydomain.com/intermediate.ph ... omain.com/">

then any relative urls would go to that page ... ahh but alas, the damn https...<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>, prolly wouldnt' work.

grr....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

what's wrong with keeping them in secure mode? Things will run a little slower, but if the pages were properly set up, the pages wouldn't care what protocol they are accessed under..
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

well then the sessions wouldn't be set (w/o the secure warning).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the session information can be passed in via the database.. you could have a script that is the starter/redirect page on the secure side, which will load in the session information, then redirect to the "proper" secure page.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

I suppose I could do that. I'll consider that as an option, but would still like to come up with something that can bring them back to the unsecure and just update the session var.

thx for the advice.

Burr
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

here's an idea.. use a redirection page on the unsecure side that either passes the session id (via url) to the other side and update as needed on the secure side (in the database), or marks the session as needing to update next time they are seen.

this is using database sessions..
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

I'm intrigued...but need a little more explanation.

I'm not sure if I'm using db sessions or not. Here is my "borrowed" code that I use to start my sessions which I have in a file called session.inc.php on all of my unsecure pages:

Code: Select all

// prepare session and start it up!...burrito
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('session.gc_maxlifetime', '36000'); /* 10 hours */

@session_cache_limiter('private, must-revalidate');
//@session_set_cookie_params(0, $_base_path);
session_name('mysessionname');
error_reporting(E_ALL ^ E_NOTICE);

ob_start();
	session_start();
	$str = ob_get_contents();
ob_clean();
couldn't tell you if that's db sessions or not. One other thing...as a side note, if they dont' have cookies enabled, the session vars don't work. I was under the assumption that php just threw the SID into the url if cookies were not enabled...guess not, at least not the way I'm doing it.

I guess I could just put the sid in the url myself if I did something like <a href="https://secure.mydomain.com?sid<=$_SESSION['SID']?>">bob</a> no?

but even if I did that, would it keep that url param on all of the subsequent pages? And even if it did, wouldn't I still need to query the db on the return to determine whether or not I need to update the session var? And how would it know that it was coming from the secure side to the unsecure side? I could just query the db on all pages anyway, but that was number 1) item above which I wanted to avoid for processing time reasons....
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

not db sessions.

The trans_id option has to be enabled for php to do it for you, however, I don't know if that works with output buffering like that..


viewtopic.php?t=23781 may be of help..
Post Reply