...

View Full Version : help with keeping session info when going from http to SSL



jm_0812
06-09-2004, 08:36 PM
HELP.....lol.... :confused: :confused:

Ok so I am just learning how to use PHP. I have modified a shopping cart/catalogue system, to suit my sites needs. It was going so well, I have it working 100% the way i want it to. Then I got to the page that takes the card info. So I set it up to go to my SSL. But now when the user proceeds to that page, from the checkout page, the $HTTP_SESSION gets lost.

So basically it goes like this,

user hits the purchase button on the checkout.php page

the user gets redirected to the "https" purchase.php page.

when the user gets to that page the cart reads empty.

Now I know that the session is getting lost cause of the domain change, or at least I think.

I read in a forum that there is a way of using the session_id() to get this to work. But I dont understand how to get this to work.

Does ne body have any suggestions?


Thank u in advance,
~Jason

cpradio
06-10-2004, 01:23 PM
I have had the same problem and never found a solution. I have tried serializing the session and sending it via GET to the SSL page and trying to pick it up again, but even that failed.

If anyone has figured it out, do tell. As it drove me nuts for 2 months not being able to resolve it.

jm_0812
06-10-2004, 06:20 PM
yeah, I am still stumped by this. I know its gotta be posible, and probalbly very simple, but I am stumped nonetheless.

So far I got the session_id to pass over to the SSL side, but it doesnt seem to effect the SSL session....

:confused: :eek: :confused: :eek:

anyhelp....please please please.....

thanx
~Jason

carl_mcdade
06-10-2004, 06:34 PM
The solution is a question of logic. First the reason a session is lost is because the SSL is a shared one so the domain changes. Session cookies written for nthe old domain are not available to the new domain.

The point of logic is that this is the finally step in the process and so you don't need Session any longer. You can transfer the information to the SSL form or site via POST or GET. Loop through the Session variable and create hiddens then send them.

Hmm,
You could talk to your provider about purchasing your own SSL certificate and setting up your domain with them so that the name does not change.

The last option is one that is in the experimental area. You could try and rewrite the Session cookies to use the new domain name at the point of transfer. I am not sure if you can do this and redirect in a linear manner so that the new server will catch the new cookies.

jm_0812
06-10-2004, 06:42 PM
:) :) :D :) :D
thanx for your reply....but, I just got it to work....using the session_id

so basically, understanding the fact that the session was not deleted but was just lost...I just needed to find a way to refind the lost session.

SO what i did was passed the session_id as a post variable,

recieved the post variable on the next SSL page, then used a if else statement that looks like this:


if ($HTTP_POST_VARS['sid'])
{
session_id ( $HTTP_POST_VARS['sid'] );
session_start();
}
else
{
session_start();
}


where 'sid' was the posted variable

hopefully this helps someone out....a noobie hard at work, is a dangerous experiment....lol...

over and out,
~Jason

cpradio
06-10-2004, 06:43 PM
See I tried sending it by GET after serializing them, when the page first loads it sees the info just fine, hit another link or submit a form and it loses the session data... Weirdest thing I have ever seen, and I have no idea why it happens.

jm_0812
06-10-2004, 06:44 PM
ok, while we are at this topic....and remember, I am brand new to this dynamic server side language stuff, and hell SSL too...

what is invoved with getting a certificate, I know that we will need one....but what are the criteria of getting one?


once again thanx in advance,
~Jason

cpradio
06-10-2004, 06:44 PM
:) :) :D :) :D
thanx for your reply....but, I just got it to work....using the session_id

so basically, understanding the fact that the session was not deleted but was just lost...I just needed to find a way to refind the lost session.

SO what i did was passed the session_id as a post variable,

recieved the post variable on the next SSL page, then used a if else statement that looks like this:


if ($HTTP_POST_VARS['sid'])
{
session_id ( $HTTP_POST_VARS['sid'] );
session_start();
}
else
{
session_start();
}


where 'sid' was the posted variable

hopefully this helps someone out....a noobie hard at work, is a dangerous experiment....lol...

over and out,
~Jason

I will have to try this on my setup later this week.

jm_0812
06-10-2004, 06:45 PM
cool...seems to work fine for me....now onward I march....

~Jason

carl_mcdade
06-10-2004, 07:17 PM
A SSL certificate can be gotten for about $200 per year.

You could also cheat and build the entire application using the https:// address and have your entire cart behind this address. This way there is no hand off. But I would check with the hosting provider first.

jm_0812
06-10-2004, 07:21 PM
saweet...thanx for the 411 man....ill check with the host....


~Jason



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum