Page 1 of 1

Maintaining session_id() between HTTP and HTTPS

Posted: Mon Apr 09, 2007 10:17 am
by dogensan
Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi There, 

I've stumbled across a problem with a shopping cart I've recently developed.  It basically works by snatching the users [i]session_id()[/i], storing that in a [i]MySQL Database[/i], along with the product they add to the cart.  

ie.

Code: Select all

<?php

session_start();

$sessid = session_id();

...

$sql = "INSERT INTO carttemp SET
session_id = '$sessid', 
item_id = '$id',
item_size = '$size',
item_quantity = '$quanity";

...?>

When it comes times for the user to checkout, they get transferred to a secure HTTPS connection. The customer is then provided with a run down of what's in their cart - with code as simple as:

Code: Select all

<?php

session_start();

$sessid = session_id();

$query = "SELECT * FROM carttemp WHERE session_id = '$sessid'";

...?>

As you can see the reference point is always the session_id There are no variables stored in sessions, I am simply using the session_id to match the data stored in the temporary database with the user.

90 % of the time this code works fine.

However, I have had a few reports that customers will add items to their cart, click on order (which changes them to HTTPS connection) and suddenly their cart will be empty! I've been able to replicate this problem, but only using Firefox 1.5 on PC and only sometimes (very strange!!) In these cases, it would appear that changing from HTTP to HTTPS generates a new session_id . Most of the time the session_id remains the same whether in HTTP or HTTPS, and you can jump back and forward, without dramas.

Does anyone know why this would be working sometimes, but not all the time, and how I can best avoid it from happening all together? Keeping in mind that onces in HTTPS, the user might jump back to HTTP and vice versa - the whole time I will need some sort of reference point to match items stored in the cart database with the customer who put them there!

Can I store the session_id in a cookie that can be accessed in both HTTP and HTTPS? And how would I reference and make sure I'm getting the right cookie without being able to use the session_id ? Or can I simply just scrap sessions and use cookies all together? There will be no sensitive date (well no data at all really) stored in the cookie, it is simply a means of linking a customer to their products whilst they are still browsing/ordering.

Or is there a way to simply maintain the session_id between HTTP and HTTPS? I would prefer to avoid a solution that requires the SID be sent through URL, POST or GET, as it would require huge amounts of re-coding.

Thanks in advances for anyone that can help me out with this situation!

Dogen


Jcart | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Mon Apr 09, 2007 12:05 pm
by Christopher
You can simply manually pass the session ID when you go from http to https. However, I would recommend doing things like generating a unique value to store in the session and check on the other end, and regenerating the session id before and after. Search for "session fixation" to find out more about the issues.

Posted: Wed Apr 11, 2007 7:07 am
by mentor
Try this solutiuon

Set the value for session.cookie_domain. Before initializing session put this line

ini_set ( 'session.cookie_domain', '.mysite.com' );

for more info visit http://www.php.net/manual/en/ref.sessio ... kie-domain