tags:

views:

101

answers:

2
+2  Q: 

Manually start session with specific id / transitioning session cookie between domains

My host requires me to use a different domain for SSL secured access (shared SSL), so I need to transition the user session between two domains. One part of the page lives at http://example.com, while the SSL'd part is at https://example.hosting.com. As such I can't set a domain-spanning cookie.

What I'm trying to do is to transition the session id over and re-set the cookie like this:

  • http://example.com/normal/page, user clicks link to secure area and goes to:
  • http://example.com/secure/page, which causes a redirect to:
  • https://example.hosting.com/secure/page?sess=ikub..., which resurrects the session and sets a new cookie valid for the domain, then redirects to:
  • https://example.hosting.com/secure/page

This works up to the point where the session should be resurrected. I'm doing:

function beforeFilter() {
    ...
    $this->Session->id($_GET['sess']);
    $this->Session->activate();
    ...
}

As far as I can tell this should start the session with the given ID. It actually generates a new session ID though and this session is empty, the data is not restored.

This is on CakePHP 1.2.4. Do I need to do something else, or is there a better way to do what I'm trying to do?

+1  A: 

When Configure::write('Security.level') is set to medium or higher, session.referer_check is implicitly activated, which makes the whole thing fail. Setting the security level to low (or using a custom session configuration) makes everything work as it should.

There went about 5 hours of debugging... ( -_-;;)

deceze  2010-05-25 03:36:26
A: 

My first thought is to use the Cake file sessions and copy the file over, and then perhaps try and start a new session with that phpsessid, although I'm not even sure if that would actually work or not :)

DavidYell  2010-05-25 07:16:31
Sounds like too much of a hassle and possibly more error prone than the current system. Thanks for the input though. :)
deceze  2010-05-25 07:21:37

related questions

What is typically the length of your optimal coding session?
What's the most current, good practice, and easiest way to use sessions in PHP?
What can cause an ASP.NET worker process to be recycled?
How do I explicitly set asp.net sessions to ONLY expire on closing the browser or explicit logou?
session variable mixup in ASP.NET?
In Classic asp, can I store a database connection in the Session object?
What are the advantages and disadvantages of the Session Façade Core J2EE Pattern?
Different values of GetHashCode for inproc and stateserver session variables
Best way for allowing subdomain session cookies using Tomcat
Is there a way to specify a different session store with Tomcat?
PHP: $_SESSION - What are the pros and cons of storing temporarily used data in the $_SESSION variable
What is the best way to handle sessions for a PHP site on multiple hosts?
How much data can/should you store in a users session object?
ASP.Net Session_Start event not firing
Logging image downloads
ASP.Net: If I have the Session ID, Can I get the Session object?
Secure session cookies in ASP.NET over HTTPS
Django Sessions
Can I put an ASP.Net session ID in a hidden form field?
Always including the user in the django template context
Rails - recovering database from Production.log
Most efficient way to get data from the database to session
What is the best way to prevent session hijacking?
FOSS ASP.Net Session Replication Solution?
How do I best detect an ASP.NET expired session?