suhosin and sessions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



suhosin forum is currently down so I can't ask there.

I'm using https for login but the rest of the site is not https

www.domain.com is regular
secure.domain.com is https

I set the session cookie this way:

ini_set("session.cookie_domain",".domain.com");

Works beautifully w/o suhosin - the login can happen on secure server and then set the necessary session bits for the insecure server to know user is authenticated.

First issue was session data encryption, which is suppose to be transparent but doesn't appear to be if set in one domain and read in other. It looks configurable but since it is my server w/o no other users and I'm using database for sessions, I tries just turning it off via

ini_set('suhosin.session.encrypt','0');

in my include that starts the session.

However, that didn't solve the problem. So I also added

ini_set('suhosin.cookie.encrypt','0');

but still no joy - session data set in one domain is wiped as soon as the cookie is sent to another domain.

I'd really rather not remove the suhosin module, how can tell suhosin to just leave my sessions the smurf alone?

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux