Reply to Re: Sessions across http/https

Your name:

Reply:


Posted by Justin Koivisto on 08/09/05 18:40

Grunff wrote:

> I'm experiencing an interesting problem with carrying a php session over
> from http to https. Much googling later, I'm still stuck.
>
> The application is an online shop, where some user data is stored in the
> session. As the user proceeds to checkout, we switch over to https. This
> is all done on the same physical server, under the same domain (which
> has an SSL cert).
>
> The session ID is carried over fine - I can read the session ID from
> http and https and it is the same. However, when I try to access a
> session variable e.g. $_SESSION['s_userid'], I can only do it using
> whichever protocol was used to write the variable in the first place.
>
> Let me explain more. If I save some user info in session variables from
> pages accessed via http, then I try to read these variables from pages
> accessed via https, they are empty.
>
> I just want to make it clear that the problem is not that the session ID
> is not available to the https pages - it is, and it's the same session id.
>
> So, any idea what's going on here? It seems that there are two sessions
> being created with the same session ID, one for http and one for https.
> Is that what happens? if so, how do I get around it? How do I access the
> session data from my https pages?
>
> Any help much appreciated.

There are 2 different approaches to solve this that I have used before.
The one I like best is using custom session handlers and store all the
session information in a database. By writing them correctly, as long as
you have the same session id, you can retrieve all the information
necessary. The second solution (which may be easier) is to send the data
via POST when you switch protocols:

<input type="hidden" name="session_data" value="<?php echo
base64_encode(serialize($_SESSION)) ?>" />

Then when you receive the POST do something like:
<?php
if(isset($_POST['session_data']))
$_SESSION=unserialize(base64_decode($_POST['session_data']));
?>

Of course, you'd want to validate the data before doing this, but it
should give you an idea of what you may be able to accomplish.

--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация