Page 1 of 1
session variables ftom http to SSL
Posted: Wed Jun 21, 2006 6:16 pm
by Zoran_Dimov
I have a problem with passing session variables from http to https.
When they are passed to the Secured Layout they are destroyed.
Can anyone sugest me solution... or i should buy SSL certificate
Thanks in advance
Posted: Wed Jun 21, 2006 6:22 pm
by Benjamin
You can save the data to the database, then pass a key along with the url, and use the key to pull the data back out of the database.
Yes but...
Posted: Wed Jun 21, 2006 6:31 pm
by Zoran_Dimov
Nice solution.. Thanks
But i have a lot of variables from diferent types, so the database schema will be very complex, and i dont have that time

. Can i just pass the session id in the URL. Is that safe?(The session is still living in the http space isnt't it?)
Posted: Wed Jun 21, 2006 6:35 pm
by Benjamin
I think if your storing your sessions in the database you could pass the session id in the url, but if not your probably out of luck in that regard.
Posted: Wed Jun 21, 2006 6:50 pm
by Christopher
The simplest way is to pass the session id in the URL like:
Code: Select all
https://sslsite.com/sslpage.php?PHPSESSID=1234567890
http://mysite.com/mypage.php?PHPSESSID=1234567890
SAFE??..
Posted: Wed Jun 21, 2006 7:16 pm
by Zoran_Dimov
PHPSESSID=1234567890
I think this is not safe. The user sould not have a control of the SessionID.
If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.
Or i am wrong??
Re: SAFE??..
Posted: Wed Jun 21, 2006 7:32 pm
by Christopher
Zoran_Dimov wrote:PHPSESSID=1234567890
I think this is not safe. The user sould not have a control of the SessionID.
Cookies can be spoofed by a knowledgable user as easily as request parameters. You need to do additional checks to verify that the session is valid either way.
Zoran_Dimov wrote:If the session variable is storing some price, i can make two sessions, one with
very low price, and then pass the session ID that stores the smaller price, in the https url with
high price.
Or i am wrong??
I would recommend against storing like the price in the session. Store the SKU instead and always lookup the price from the datasource.
Posted: Wed Jul 05, 2006 5:00 pm
by bike5
Back to storing info in the database you *might* be able to use serialize to wrap up all the variables and such to store in one table column
http://us3.php.net/serialize