Quote:
quote:
Good Evening Rich,
First of all, thanks for your thoughtful - and speedy! - responses to my
question in the Wrox forum.
The Wrox forum appears to be down tonight, so I took the liberty of checking
out your URL from your sigfile and am sending this email to you directly.
Please let me know if you would rather I had not.
I am still struggling with this cart design. To address your suggestions
quoted below:
1) I don't want to do SSL throughout the site;
2) I tried the hidden field approach to pass the session ID value, and it
did not work; a new session was created anyway, believe it or not;
3) after the nightmares I've had just trying to preserve this single
session, the thought of authoring a custom session handler sounds too
daunting.
I am beginning to believe that I need to rethink my entire design. Is there
a better way? I am completely open to suggestions.
Thanks again,
Royce Hart
|
Hi Royce,
No problem at all, my door is always open. Did you have any luck experimenting with the .ini directive, session.referer_check?
When you experimented with hidden fields how did you go about it? Post data should show up regardless of the site, at least one would think.
#test.php
<html>
<head>
<title>Test post data</title>
</head>
<body>
<?php
if (isset($_POST["test1"])) echo $_POST["test1"]."<br /><br />";
?>
<form method="post" action="http://www.smilingsouls.net/test.php">
<input type="text" name="test1" value="" />
<input type="submit" name="do_action" value="Post" />
</form>
</body>
</html>
I just did this little test here to prove my theory about the post method. Granted, different ISP's may or may not work identically -- yours may have stricter security settings in place.
I created the script above and saved one copy to my local server and uploaded another to my remote ISP. The test script was executed on my local development machine, and its contents echoed at the remote host. It worked. I also changed the action to my secure server,
https://www.smilingsouls.net and it also worked.
Try this test out on your machine and see if this works, changing the action to your SSL url. If it does then you can design a solution to dump your session data into hidden fields and then redirect to the secure server via the post method, whereas you would be able to reinitiate your session. The session ID is going to be changed no matter what with this approach. Reason being is PHP sees this as two different sites requesting session initiation and thus handles them separately.
According to the PHP manual the directive, session.referer_check, may be set at run time with ini_set(). Probably would need to be set before calling on session_start(). This directive is going to check the $_SERVER["HTTP_REFERER"] variable if it finds the specified substring in that refering site's url then it will allow the session to persist between different sites hosted on the same server.
Here is a bit of code to test the theory...
<?php
# See if this is a secure request
if (stristr($_SERVER["SERVER_URL"]), "https://")
{
# $non_secure will be the refering substring to check for
# plug in the base url of the non secure site
# or actually just the domain name and suffix
$non_secure = (string) "nonsecure.site";
if (!ini_set("session.referer_check", $non_secure))
{
echo "Unable to alter ini value.<br />";
# If you are unable to alter the ini value, your ISP's security may be
# set too tight. Check with tech support at this point.
}
} else {
# if you want to be able to transfer session back to the original site
# do so here
}
# Now start the session
session_start();
?>
http://www.php.net/manual/en/ref.session.php
http://www.php.net/ini_set
Let me know how that goes.
: )
Rich
:::::::::::::::::::::::::::::::::
Smiling Souls
http://www.smilingsouls.net
:::::::::::::::::::::::::::::::::
Why session_register() is bad.
