Advice on Session var and Shared SSL

Question

Hi,

I got a client which is website is under SSL only on the payment proccess. But he bought shared SSL so the actual domain is different (although I think its the same server).

So when a user is logged in at for example: www.mydomain.com/login.php and tries to buy something he redirected to https://secure20.livessl.com/mydomaincom/payment.php

Now the $_Session vars are not set, so I can't use it for the payment form.

I don't want to send these by GET METHOD or POST METHOD... Any ideas? Do I have to tell the client to buy private SSL ?

Thanks !

Answer 1

Preferably, they should get a certificate. They're very affordable nowadays and it makes their business look infinitely more professional.

If they demand this 3rd party way, why don't you want to send the data via POST method? It will be encrypted.

An alternative idea that comes to mind is to send a get with a long identifier appended to the query string (don't use the session id) which the PHP script on the SSL server can then use to send a secure request (CURL) back to the originating server asking for the session vars. But this seems like overkill when a POST will do.

Answer 2

You can't pass posts in a redirect - only GET vars. Also cookies do not work across domains - however there is nothing to stop you from passing the session id as a get var then creating a new cookie on the second vhost which references the same session:

if ($_GET['sessid_from_remote']) {
   session_id($_GET['sessid_from_remote']);
}
session_start();

But this is only going to work if both vhosts share a session storage substrate.

Personally I wouldn't type my credit card details into any site other than one which I know well and trust (amazon, paypal, worldpay...) and these guys don't use shared hosting accounts. So I'd recommend using paypal or worldpay to do the secure part and not bother with a dedicated SSL cert.

C.