suhosin forum is currently down so I can't ask there.
I'm using https for login but the rest of the site is not https
www.domain.com is regular
secure.domain.com is https
I set the session cookie this way:
ini_set("session.cookie_domain",".domain.com");
Works beautifully w/o suhosin - the login can happen on secure server
and then set the necessary session bits for the insecure server to know
user is authenticated.
First issue was session data encryption, which is suppose to be
transparent but doesn't appear to be if set in one domain and read in
other. It looks configurable but since it is my server w/o no other
users and I'm using database for sessions, I tries just turning it off via
ini_set('suhosin.session.encrypt','0');
in my include that starts the session.
However, that didn't solve the problem. So I also added
ini_set('suhosin.cookie.encrypt','0');
but still no joy - session data set in one domain is wiped as soon as
the cookie is sent to another domain.
I'd really rather not remove the suhosin module, how can tell suhosin to
just leave my sessions the smurf alone?
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
