Transferring Sessions

webmaster1721

I am running a Web App with a series of $_SESSION variables attached to a certain domain. I now want to move into a quasi-shopping cart page where my SSL Cert is installed (a domain different than the one I have all of my session variables stored at).

Is there some easy way of copying the $_SESSION variables present on the Web App Domain to duplicate them on the Cart Checkout Domain so I can reuse the existing values stored in the sesison vars?

Thx :bemused:

devinemke

are the non-secure and secure domains on the same physical server? if so then your session file will still be sitting there, you just have to manually propagate the session ID, usually by appending it to the URL. use [man]session_name[/man] and [man]session_id[/man] to form the URL query string.

if the two domains are on different servers and you have common access to a database then simply [man]serialize[/man] the session array, stick it in a temp table, then pull it back out and [man]unserialize[/man] on the secure site.

webmaster1721

Thanks devinemke.

Yes the domains are on a shared VPS. So if I do an href="https://secure.hostname.com/cart?sid=yadayadayada" and then read that session id on the secured cart page, that will do it?

webmaster1721

Got the session variables to pass and appear quite nicely. I did the following:

Sending Document--
<a href="https://secure.domain.com/?sid=<? echo session_id(); ?>">hyperlink</a>

Receiving Document--
<?php
session_id($_GET['sid']);
session_start();
...
?>

Works great.

Now, is there a similar way to get the Cookies transferred also?

toplay

You can shorten the receiving document code by doing it this way:

Sending Document--
<?PHP session_start(); ?>
<a href="https://secure.domain.com/?<?PHP echo session_name(), '=', session_id(); ?>">hyperlink</a>

Receiving Document--
<?PHP session_start(); ?>

The above approach is necessary when the domain names/URL for the secure and non-secure are indeed different.

If one is talking about going from the main domain to it's sub-domain name (or vice-versa) on the same server, then it's possible for the session to still be saved without putting the session info in the URL. Example - going from a non-secure page like this:

http://www.example.com/cart.php

over to a secure page like this:

https://www.secure.example.com/checkout.php

This should work by setting 'session.cookie_domain' using session_set_cookie_params() or init_set() functions (before session_start). Set the domain argument to '.example.com' in this scenario. Notice there's a dot at the beginning of the domain name. That should allow the session to be recognized on the secure and non-secure page(s).

You could save the regular cookies information in the session that is being passed to the secure page, and then recreate the regular cookie once you get to the secure page.

FYI: The setcookie()'s last argument specifies whether you're only allowed to read the cookie value on a secure page (the default is false/off; you can read a cookie from secure and non-secure pages).

If you have the same main domain and sub-domain scenario as above, You should be able to access cookie values from the secure page too. One would specify the fifth argument in setcookie(), which is the domain part. When creating the regular cookie specify it something like this:

setcookie('cart_id', $cart_id, time() + 14400, '/', '.example.com');

Notice that there's a dot before the domain name. This will allow the cookie to be retrieved from both the www.example.com and from secure.example.com where one would have the secure page.

Without specifying the domain argument, the default domain is used and a cookie with domain "www.example.com/" is created. On the secure page, the browser doesn't send the cookie values to the server because "secure.example.com/" doesn't match "www.example.com/". As far as the browser is concerned, it thinks it's a completely different domain/site.

hth.