Session ID &amp; URL Problem

Session ID & URL Problem

Roman_Totale

I have a problem which stems from the session id cookie and the URL. Our site has an SSL store uses a session based cart. The issue is that when my boss bought the SSL cert., he bought it for oursite.com and not www.oursite.com (which is opposite of how our site is publicized in our literature, naturally). This creates a scenario where if a user visits the secure store like this: https://www.oursite.com/store, they will get the nasty invalid SSL certificate message. If I have a php script which redirects this page to https://oursite.com/store in hopes of avoiding the SSL error message--the session id is lost since it was created for www.oursite.com (and thus the cart contents are dropped).

This brings me to my question: Can I somehow use one session cookie for both www.oursite.com and oursite.com? Or can I access the session from www.oursite.com from oursite.com?

If not, can I use Apache to force all visitors to oursite.com (not www.oursite.com) and keep the rest of the URL intact (i.e. the folder/file information)

Thanks

keith73

and to answer your question.
in your redirection, include the session name=ID in your redirect command and make sure your script in the store checks for it and uses it to resume the session.

$redirect = "https://oursite.com/store?PHPSESSID=" . session_id();

keith

Roman_Totale

Thanks!

Roman_Totale

The solution above seemed to work at first, but errors are still occuring.

What I would like to do is remove the problem of duel session ids (ie. one for www.mysite.com and one for mysite.com) with an Apache config or some such measure. How do I config Apache such that either only one session id is created for www.mysite.com and mysite.com OR so that www.mysite.com will resolve to mysite.com?

I haven't worked too much with Apache configs, help greatly appreciated.

keith73

before calling session_start() call ini_set to set the session's cookie domain. The default will set whatever the user used to access your site so if they go to www.mydomain.com, the cookie will set that way.

ini_set(session.cookie_domain,'mydomain.com');
session_start();

Now any variation of your domain will be able to access that cookie.

Another way to do it is using this command before session_start()

session_set_cookie_params(86400*10,'/','mydomain.com');

keith

Roman_Totale

is there a similar way to do this in the php ini file? i'd like to avoid pre-appending any new files and the only common files on the site are included after session_start()

keith73

I don't know what you mean by pre-pending files, that isn't what I was suggesting.

But to answer your question, yes.
open up your php.ini file and find this line:

session.cookie_domain =

and change it to

session.cookie_domain = mydomain.com

keith

Roman_Totale

Thanks again.