tags:

views:

29

answers:

1
+2  Q: 

php encrypted ssl session data

I have 2 servers running, one for the dynamic content (nginx, php) and another for login (apache2, php)

i use memcache to share the session information

i upgraded the server software and since then the session data in apache is encrypted

apache:
session::write("sessions/s53mqdhghmlrvnvjt05novt4m2","encrypted-data",0,1440)

nginx:
session::write("sessions/s53mqdhghmlrvnvjt05novt4m2","test|i:1;",0,1440)

on both servers the session-id's are the same, and the session cookie still passes the sessionId so that all still works like it should

both servers use the exact same php.ini

i looked in the ssl conf but i couldnt find anything that would set the session data to be encrypted

anyone know where i can stop the session data from being encrypted on apache/mod_ssl

edit:
well i've found a working sollution but i still havnt found the origion of the problem i do know that the session data has to leave the php process to be encrypted by mod_ssl and the session save handler is called at the cleanup operations by php after the script end.
But there is nothing of this behaviour documented in the docs.

the sollution is, for now, to not save the data provided by php at session::write, but rather to use the session_encode() to generate the session hash again and save that

for those of you reading this that do know how and why i would really like to know to turn off the directive that encrypts the data.

A: 

Session data is stored on the server and not inside the session cookie. If you read the cookie you will see that its just a string of characters that holds an ID. By default (and simply put), PHP stores the session data by serializing the $_SESSION array and writing it to a file. I am not really sure what you are trying to do is share session information across different environments. Since you mentioned memcached, just re-write the session handling functions to read and write to/from memcached. Since you will control how the data is stored, you can store the data encrypted or not. Here is reference about the session handeling funcitons:

http://us3.php.net/manual/en/book.session.php

MANCHUCK  2010-10-19 15:41:12
i have overridden the session handling in php and registerd a session class for that, that class writes and reads the data to/from a memcache cluster, the problem is that the session data on write (so thats is after the process ended or after session_write_close is called) that is coming from php is _allready_ encrypted.
Paul Scheltema  2010-10-19 15:50:11

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases