views:

101

answers:

2

My host requires me to use a different domain for SSL secured access (shared SSL), so I need to transition the user session between two domains. One part of the page lives at http://example.com, while the SSL'd part is at https://example.hosting.com. As such I can't set a domain-spanning cookie.

What I'm trying to do is to transition the session id over and re-set the cookie like this:

  • http://example.com/normal/page, user clicks link to secure area and goes to:
  • http://example.com/secure/page, which causes a redirect to:
  • https://example.hosting.com/secure/page?sess=ikub..., which resurrects the session and sets a new cookie valid for the domain, then redirects to:
  • https://example.hosting.com/secure/page

This works up to the point where the session should be resurrected. I'm doing:

function beforeFilter() {
    ...
    $this->Session->id($_GET['sess']);
    $this->Session->activate();
    ...
}

As far as I can tell this should start the session with the given ID. It actually generates a new session ID though and this session is empty, the data is not restored.

This is on CakePHP 1.2.4. Do I need to do something else, or is there a better way to do what I'm trying to do?

+1  A: 

When Configure::write('Security.level') is set to medium or higher, session.referer_check is implicitly activated, which makes the whole thing fail. Setting the security level to low (or using a custom session configuration) makes everything work as it should.

There went about 5 hours of debugging... ( -_-;;)

deceze
A: 

My first thought is to use the Cake file sessions and copy the file over, and then perhaps try and start a new session with that phpsessid, although I'm not even sure if that would actually work or not :)

DavidYell
Sounds like too much of a hassle and possibly more error prone than the current system. Thanks for the input though. :)
deceze

related questions