On Tue, November 8, 2005 6:50 pm, Tony Di Croce wrote: > I have a server with a few virtual hosts. All of my scripts use > "session_start()", and $_SESSION[] to share data between invocations > of > different scripts. > > The problem I'm having is that if a form on site A submits to a script > on > site B the values stashed in $_SESSION[] appear to be lost... > > Should this work? If not, then what alternatives exist? I suppose I > could > pass the session id as a POST argument to the site B script (and > theirs > probably a method in PHP that given a session_id() makes available all > of > that sessions $_SESSION[] variables) but is that the best way? Yeah, that's kinda by design, as I really don't think you should be reading *MY* $_SESSION data from my site, eh? Here are some things: 1. If it's a.example.com and b.example.com, I *think* you can set the server in the Cookie to be just ".example.com" (keep the leading dot) and both a and b get the cookie. (Or if a is www., and b. is nothing, then .example.com covers both) 2. If it's NOT a.example.com and b.example.com, you can rest easy in the safe and secure knowledge that the ONLY way to get this to work is for you to pass the http://php.net/session_id through A to B and vice versa. You use that function to get the ID on A, and embed it in the URL or send it as POST data. Then on B, you can use session_id($_POST['session_id_you_passed_from_A']) before you do session_start() so that the session "knows" to use the session ID you want it to use, instead of making up a new one. A and B also need to share their $_SESSION storage space and save/retrieval methods, obviously... If they are not on the same computer (I.E. a server pool or just plain different computers) you can store session data in MySQL using the example code on http://php.net/sessions (or somewhere in there). Be sure to read the User Contributed notes... There's some long-winded explanation of a race condition in the MySQL example code that you need to consider in some situations. I hope that survived the purge. You may also want to consider passing not the actual session_id() but some other one-use token to save/receive the actual session_id(), just to decrease the number of places that the ID itself can get intercepted. If A and B are not completely trusting each other, then you probably shouldn't, in general, pass session data back-and-forth. You may want to consider passing JUST the ID of the user or whatever really really needs to go back and forth, even if it means you end up both hitting the same data-set (or copies thereof) to lookup the same info you'd already have in the "other" $_SESSION. If A and B trust each other, or can already read each other's session data anyway, there's not much point to this bit. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
