maintaining session data across domains

James_Swafford

Hello,

I need to maintain session data across domains - from an
unsecure connection to a secure one.

http://unsecure.com/s1.php --> https://secure.com/dir/s2.php

I'm trying to avoid cookies, so I'm passing the session ID through
the URL. I know there is nothing wrong with the script on the
secure side - it is getting the session ID.

$PHPSESSID=$_GET["PHPSESSID"];
session_id($PHPSESSID);
session_start();

If I access s2 via http://unsecure.com/s2.php, everything
is fine, because I haven't crossed domains. ("unsecure.com"
is a virtual domain, so http://unsecure.com/s2.php is
the same script as https://secure.com/dir/s2.php - "dir"
is a symlink). I need to use the https connection while
calling secure.com 'cause that's where my SSL key is registered.

Surely this has got to be a common problem, but I haven't
been able to find anything useful. Suggestions would be
greatly appreciated.

Thanks,

--
James

killerbishop

There is a way to do this, but it requires a couple of things:

(1) All session data is stored in the same directory or uses the same container across domains for retrieving the data

(2) You will need to pass the session ID between domains manually, and not retrieve the data from cookies, but the actual session file.

(3) session.use_only_cookies is not enabled

So, between the unsecure site and secure one, do:

http://unsecure.com/s1.php?PHPSESSID=12345
https://secure.com/dir/s2.php?PHPSESSID=12345

Should be the same session data, since you are retrieving that session file.

James_Swafford

Your post was extremely helpful - thanks.
It's actually session.use_cookies = 0 , though.

A one character change to the php.ini file and I'm good
to go. 🙂

Thanks again,

--
James