Insecure data to Secure

Kudose

Hello all.

I was wondering if it was possible to take a session that has information from before the user logs in and converts it to secure data and keeps the data in the session.

Here is how I have my stuff set up.

If you login before you make any changes, then make changes, then everything is fine.

If you make changes, then login, everything is lost.

Keep in mind that I am having users go from non-secure area before they login, then it redirects them to the secure (SSL) area.

Thanks!

rachel2004

If you have a digital certificate on your server to permit encryption via SSL, why not use it all of the time? I don't see the logic you are presenting, so maybe explain further the reasoning.

Also, why would you permit users to make changes to something if they aren't logged in, or am I missing someting as far as what they are changing. I would think things would be a lot less confusing if everything were moving in a linear fashion:

Kudose

I have a shared SSL, so when I use it the URL changes to the secure server URL with my domains extension, and I dont want that URL to show first thing when they type in my URL, only after they login.

It is a shopping cart. I need to save the session (cart) data and after they login keep that data. When they log in it flushes the cart.

But if I add an item, log in, view cart that is empty, log out, it shows the item from the insecure session.

Weedpacket

That's because sessions are limited to apply only in the domains in which they are set. That's to prevent session IDs accidentally leaking out to other sites (which can't be good), but it does mean that your SSL domain doesn't see the session data in the non-SSL domain, because it never gets the session ID. So the user ends up with two carts: one in the non-secure domain and one on the secure domain.

Now, here's a question: are your SSL and non-SSL domains storing session data in the same place? If they are then what you need to do somehow is pass the session ID across the domain. Since you're using a login form, the first suggestion that comes to mind is a hidden field in the login form that contains the session ID. Then when you're processing the login form, use [man]session_id[/man] to set the ID to the one supplied in the form, so that session_start() reloads the same session instead of creating a new one.

Once the browser is using the same session ID in both domains, you should be able to jump back and forth between them.