Does anyone know how i can keep a session going when i go from like http://www.mysite.com to like https://myhost.dns.com/~username? (the second name is so the page is secured if someone can help me please leave a message..
Thank you
Smackie
Sessions
Moderator: General Moderators
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
You can pass the session id manually and then attempt to restart the session with the id that was passed. This is a common way to prevent the "dropped cart" problem of virtual hosts with shared SSL servers.
There are security issues with this method, so make sure that you have a way to verify that the session is not being spoofed. Usually you generate a unique key on the calling side, save it in the session, pass it as a parameter, and then check for a match between the parameter and the values in the session on the receiving page.
There are security issues with this method, so make sure that you have a way to verify that the session is not being spoofed. Usually you generate a unique key on the calling side, save it in the session, pass it as a parameter, and then check for a match between the parameter and the values in the session on the receiving page.
(#10850)
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
do you mean to say that two hosts should share the session details table?feyd wrote:You'll have to transfer the session via a separate process, such as through the database.
aborint do you mean to get session id from another host and register using $_SESSION['PHPSESSID'] = $new_id??
This is new to me...can you guys give more information on doing this??
No, there is only one host, that second URL is the 'real' url to his site and he is set up as a virtualhost. He is simply passing the session_id in the GET string or through POST data and creating the session from that with session_id()
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
I am not clear on the exact problem, but you can have trouble when you want to go back and forth between two domains on the same server and maintain the session. (if they are two separate servers then you need a shared DB solution)raghavan20 wrote: aborint do you mean to get session id from another host and register using $_SESSION['PHPSESSID'] = $new_id??
This is new to me...can you guys give more information on doing this??
I was thinking of code like this on the receiving page:
Code: Select all
$sessionid = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $_GET['PHPSESSIONID']);
$uniqueid = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $_GET['UNIQUEID']);
session_start($sessionid); // force session to start with passed ID
if (! isset($_SESSION['UNIQUEID'] || ($_SESSION['UNIQUEID'] != $uniqueid)) {
die('Invalid session ID');
}(#10850)