Page 1 of 1
Sessions
Posted: Wed Feb 08, 2006 11:27 am
by Smackie
Does anyone know how i can keep a session going when i go from like
http://www.mysite.com to like
https://myhost.dns.com/~username? (the second name is so the page is secured if someone can help me please leave a message..
Thank you
Smackie
Posted: Wed Feb 08, 2006 11:33 am
by feyd
You'll have to transfer the session via a separate process, such as through the database.
Posted: Wed Feb 08, 2006 12:57 pm
by Christopher
You can pass the session id manually and then attempt to restart the session with the id that was passed. This is a common way to prevent the "dropped cart" problem of virtual hosts with shared SSL servers.
There are security issues with this method, so make sure that you have a way to verify that the session is not being spoofed. Usually you generate a unique key on the calling side, save it in the session, pass it as a parameter, and then check for a match between the parameter and the values in the session on the receiving page.
Posted: Wed Feb 08, 2006 3:14 pm
by raghavan20
feyd wrote:You'll have to transfer the session via a separate process, such as through the database.
do you mean to say that two hosts should share the session details table?
aborint do you mean to get session id from another host and register using $_SESSION['PHPSESSID'] = $new_id??
This is new to me...can you guys give more information on doing this??
Posted: Wed Feb 08, 2006 3:51 pm
by josh
No, there is only one host, that second URL is the 'real' url to his site and he is set up as a virtualhost. He is simply passing the session_id in the GET string or through POST data and creating the session from that with
session_id()
Posted: Wed Feb 08, 2006 4:06 pm
by Christopher
raghavan20 wrote:
aborint do you mean to get session id from another host and register using $_SESSION['PHPSESSID'] = $new_id??
This is new to me...can you guys give more information on doing this??
I am not clear on the exact problem, but you can have trouble when you want to go back and forth between two domains on the same server and maintain the session. (if they are two separate servers then you need a shared DB solution)
I was thinking of code like this on the receiving page:
Code: Select all
$sessionid = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $_GET['PHPSESSIONID']);
$uniqueid = preg_replace('/[^a-zA-Z0-9\_\-]/', '', $_GET['UNIQUEID']);
session_start($sessionid); // force session to start with passed ID
if (! isset($_SESSION['UNIQUEID'] || ($_SESSION['UNIQUEID'] != $uniqueid)) {
die('Invalid session ID');
}