|
Posted by Ben Ramsey on 10/21/23 11:31
On 11/8/05 7:50 PM, Tony Di Croce wrote:
> I have a server with a few virtual hosts. All of my scripts use
> "session_start()", and $_SESSION[] to share data between invocations of
> different scripts.
>
> The problem I'm having is that if a form on site A submits to a script on
> site B the values stashed in $_SESSION[] appear to be lost...
>
> Should this work? If not, then what alternatives exist? I suppose I could
> pass the session id as a POST argument to the site B script (and theirs
> probably a method in PHP that given a session_id() makes available all of
> that sessions $_SESSION[] variables) but is that the best way?
This won't work due to obvious security reasons. A session cannot be
shared across two domains, nor can cookies (though cookies can be shared
across subdomains of the same domain).
I think the approach here will need to err on the site of caution. You
don't want to pass the session identifier through the URL (or POST) too
much because it risks exposure and the possibility for session
hijacking, though it should be possible to do this and grab the session
information for the session id from the directory where sessions are
stored (often times this is in /tmp). I would advise against this for
reasons I've already mentioned.
Instead, as I said, err on the side of caution here by annoying your
users just a little bit. Here's what I mean: the multiple virtual hosts
can share the same authentication/user profile database. Thus, users can
log into each individual host and access the same profile. So, you'll
need to authenticate the user when they visit a new host. This may be a
decrease in usability, but it's an increase in security.
For more information about sessions, read the manual:
http://www.php.net/session
--
Ben Ramsey
http://benramsey.com/
[Back to original message]
|