Session Handling between Secure and Unsecure modes

schajee

I need to start a session in secure mode (https) and use it in the unsecure mode (http). I do not want to transfer the variables via POST or GET to the unsecure page and start a sesison there.

I want to know if that is possible, and any good workarounds if not.

mtmosier

In my experience running with apache on linux, if the domain name is constant across the two then it just works. (http://www.example.com and https://www.example.com)

If the domain name changes then you can try passing the session id via the querystring. As long as the setting "session.use_only_cookies" is not enabled you should be able to just create the url as

$url = 'https://store.example.com/file.php?'.session_name().'='.session_id();

Oh, yeah. In either case I'm assuming that both the unsecure and secure sites are on the same machine, and in the case of *nix using the same instance of apache.

schajee

Well the site i've setup switches like this.

Users login at https://secure.example.com and then they need to be taken to http://my.example.com while maintaining the session created in the secure mode.

Everything is on the same machine with Windows and IIS and I do not wish to use the url mode for sessions.