Page 1 of 1

updating a session var from a host name

Posted: Thu Jan 20, 2005 9:45 am
by Burrito
Ok, here's the scenario:

I have some users that have session vars set. They then move to a different host on the same machine (secure.mydomain.com vs http://www.mydomain.com) so they can do some stuff in a secure environment. After they've done their stuff I need to send them back to the www host and I need to update one of the session vars that is set based on the stuff they've done in secure.mydom... One of the session vars is displayed on every page on the http://www.mydom...

I've thought of a few different options to handle this. One would be to query the db on every page to check if I need to reset my session var...but I want to avoid this if possible because of processor time. Another option I've thought of (which I'm currently doing) is to put a button on the secure.mydom... page that says "you must click here to update your account" which sends them to an intermediate page which queries the db and updates their session var (if necessary). This works great, but it's lame...very focking lame indeed.

another option I thought about and tried, to no avail was to check the referring url and if it is from secure.mydom... then do the query and update if necessary. The reason this didn't work is because the http_referer wasn't being set when they came from secure.mydom.... (is this because it's from an HTTPS://??? In any case, it didn't work.

The last option which has two parts was this. Part one: Just make all of the links on that page go to the intermediate page (with something like <a href="www.mydom..../intermediate.php?page=htt ... p">here</a> and then run my query from there (don't force them to click a button) This would be good except that I'd have to change over 200 links with all of my js dropdown menus (burrito = lazy = don't wanna do this). Part two: could I just set some kind of php var on that page that automatically sent them to the intermediate page and not have to manually hard code all of the links with the intermediate page in the links? In other words just set something at the top of page like: $link = http://www.mydom.../intermediate.php?page=; and then append the links to that (w/o hard coding them all in)?

Is there another way to handle session vars across hosts that I don't knwo about?

Can anyone thign of another solution that would work for me here?

thx in advance for your time.

Burr

Posted: Thu Jan 20, 2005 9:53 am
by feyd
being able to manipulate session vars across subdomains is quite simple: set the domain value in the cookie to the whole domain, not the subdomain. i.e. domain.com vs. http://www.domain.com

The problem comes when you switch between secure and unsecure, because the sessions set with those are different... although it is possible to set them the same, the user will probably get a warning that mixed security content is on the page.

You can avoid it a bit by setting a flag in the database when you point them to the secure side.. or specifying something in the linkage back to the unsecure areas from the secure side, if possible.

As final option can be to have the content on either side available through https and http alike. You can then give them the choice of which to use.

Posted: Thu Jan 20, 2005 9:59 am
by Burrito
feyd wrote: or specifying something in the linkage back to the unsecure areas from the secure side, if possible.
yes this is what I'd like to do, but is there a way to "globally" set the links on the page and force them to go to a specified page w/o hard coding them all in?
feyd wrote: As final option can be to have the content on either side available through https and http alike. You can then give them the choice of which to use.
Can't do this because some of the stuff involves credit cards, and I don't want to send them directly to the secure page and then use relative links from there as I already have some session vars set from the unsecure area...the warning they would receive (this page contains secure and unsecure do you want....) is an absolute no.

so can I somehow change the all of the links w/o actually changing all of the links 8O ?

thx,

Burr

Posted: Thu Jan 20, 2005 10:02 am
by feyd
it's possible to use output buffering in this instance to capture the finalized html, and use regular expressions to replace all the necessary links with a single reentry point..

Posted: Thu Jan 20, 2005 10:08 am
by Burrito
except that the majority of the links are in a .js file for my menus.

I guess I could just put the js on the page itself and then do a regexp to replace everything....was hoping for somethign easier though.

seems like I've seen some basic HTML stuff in the body tag one time that invovled some linking options that might have linked everything from that page to whatever page I wanted...but perhaps not.

I'll keep stirring this pot and see what I can come up with.

Burr

Posted: Thu Jan 20, 2005 10:10 am
by Burrito
oh and one more thing...


/me touches feyd's moustache

Posted: Thu Jan 20, 2005 10:11 am
by feyd
there is the HTML <base> tag, but that would just tell the browse where to start all relative url's on the page...

Posted: Thu Jan 20, 2005 10:31 am
by Burrito
well could I use that and do something like:

no clue on syntax of base tag so forgive this bastardized rendition:
<base = http://www.mydomain.com/intermediate.ph ... omain.com/">

then any relative urls would go to that page ... ahh but alas, the damn https...<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>, prolly wouldnt' work.

grr....

Posted: Thu Jan 20, 2005 10:33 am
by feyd
what's wrong with keeping them in secure mode? Things will run a little slower, but if the pages were properly set up, the pages wouldn't care what protocol they are accessed under..

Posted: Thu Jan 20, 2005 10:45 am
by Burrito
well then the sessions wouldn't be set (w/o the secure warning).

Posted: Thu Jan 20, 2005 10:51 am
by feyd
the session information can be passed in via the database.. you could have a script that is the starter/redirect page on the secure side, which will load in the session information, then redirect to the "proper" secure page.

Posted: Thu Jan 20, 2005 10:58 am
by Burrito
I suppose I could do that. I'll consider that as an option, but would still like to come up with something that can bring them back to the unsecure and just update the session var.

thx for the advice.

Burr

Posted: Thu Jan 20, 2005 11:02 am
by feyd
here's an idea.. use a redirection page on the unsecure side that either passes the session id (via url) to the other side and update as needed on the secure side (in the database), or marks the session as needing to update next time they are seen.

this is using database sessions..

Posted: Thu Jan 20, 2005 11:12 am
by Burrito
I'm intrigued...but need a little more explanation.

I'm not sure if I'm using db sessions or not. Here is my "borrowed" code that I use to start my sessions which I have in a file called session.inc.php on all of my unsecure pages:

Code: Select all

// prepare session and start it up!...burrito
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ini_set('session.gc_maxlifetime', '36000'); /* 10 hours */

@session_cache_limiter('private, must-revalidate');
//@session_set_cookie_params(0, $_base_path);
session_name('mysessionname');
error_reporting(E_ALL ^ E_NOTICE);

ob_start();
	session_start();
	$str = ob_get_contents();
ob_clean();
couldn't tell you if that's db sessions or not. One other thing...as a side note, if they dont' have cookies enabled, the session vars don't work. I was under the assumption that php just threw the SID into the url if cookies were not enabled...guess not, at least not the way I'm doing it.

I guess I could just put the sid in the url myself if I did something like <a href="https://secure.mydomain.com?sid<=$_SESSION['SID']?>">bob</a> no?

but even if I did that, would it keep that url param on all of the subsequent pages? And even if it did, wouldn't I still need to query the db on the return to determine whether or not I need to update the session var? And how would it know that it was coming from the secure side to the unsecure side? I could just query the db on all pages anyway, but that was number 1) item above which I wanted to avoid for processing time reasons....

Posted: Thu Jan 20, 2005 11:18 am
by feyd
not db sessions.

The trans_id option has to be enabled for php to do it for you, however, I don't know if that works with output buffering like that..


viewtopic.php?t=23781 may be of help..