keeping SESSION alive switching to SSL connection

[commun1]

Hey there,

I use a session script which should pass all variables to a secure connection.

Like when someone enters

http://www.mydomain.com

he is able to to fill a shopping cart (no ssl) and can switch to a secure connection (let's assume it's

https://www.mydomain.com)

but however all my session data is lost once I switch to an SSL connection. How can I get the session data to be available through both connections?

My session script looks like this:

<?php
session_cache_limiter('private');
session_cache_limiter();
session_start();
if(isset($HTTP_GET_VARS["session_id"])) {
  $_SESSION["session_id"] = $HTTP_GET_VARS["session_id"];
  $session_id = $HTTP_GET_VARS["session_id"];
}
if(!isset($_SESSION["session_id"]) || $_SESSION["session_id"] == ""){
    $_SESSION["session_id"] = session_id();
}
$session_id = $_SESSION["session_id"];
if(isset($username) && $username != "") {
  $_SESSION["username"] = $username;
  $username = $_SESSION["username"];
}
?>

So I want the session_id and username to be available on SSL as without SSL.

any ideas?
I also do not want to set a cookie specifically using setcookie since I want the session only to be alive during open browser window, once it's closed the session should be gone...

thanks in advance

 

[sleipnir214]

You seem to be jumping through an awful lot of hoops there, and I'm not really sure why. In particular, I'm not sure of the usefulness of storing the session_id in the session.

Anyway, on my machine, a LAMP box with PHP 5 installed, the following script:

<?php
session_cache_limiter('private');
session_start();

print '<html><body>';

if (!isset ($_SESSION['foo']))
{
	print 'Creating...<br>';
	$_SESSION['foo'] = array('a', 'b', 'c');
	$_SESSION['username'] = 'fred';
}
else
{
	print 'Exists..<br>';
}

print '<pre>';
print_r ($_SESSION);
print '</pre></body></html>';
?>

Allows session data to work through a session cookie (automatically set by PHP and set to be deleted at the end of the browser session) over both HTTP and HTTPS with IE, Opera and Firefox. The only caveat is that the HTTP and HTTPS domain names must be the same, as cookies are domain-specific.


Want the best answers? Ask the best questions!

TANSTAAFL!!

 

[commun1]

thanks sleipnir.

however, I figured that my Domain is

http://www.test.com

and the SSL-one is

https://test.com

(same domain but without the

http://www).

On IE the session is being kept alive but firefox creates a new one once I switch. is the "www" the problem? I don't have a secure

https://www.test.com

but a want to use

http://www.test.com

as the main domain.

 

[sleipnir214]

www" is the problem because "

http://www.test.com"

is a different URL from "test.com".

When a browser decides what stored cookies to return to a server, it is supposed to do a "tail-first" match. If you set a cookie for "test.com", that cookie is valid for

http://www.test.com.

However, if you set the cookie in

http://www.test.com,

it will not work in test.com. See

http://wp.netscape.com/newsref/std/cookie_spec.html

Your workaround is to explicitly set the domain of the session cookie to "test.com". You can do this using ]link

http://us3.php.net/manual/en/function.session-set-cookie-params.php

]session_set_cookie_params()[/url], ini_set(), or by tweaking session.cookie_domain in php.ini or an .htaccess file (if you're using Apache).


Want the best answers? Ask the best questions!

TANSTAAFL!!