Michael A. Peters wrote:
suhosin forum is currently down so I can't ask there.
I'm using https for login but the rest of the site is not https
www.domain.com is regular
secure.domain.com is https
I set the session cookie this way:
ini_set("session.cookie_domain",".domain.com");
Works beautifully w/o suhosin - the login can happen on secure server
and then set the necessary session bits for the insecure server to know
user is authenticated.
First issue was session data encryption, which is suppose to be
transparent but doesn't appear to be if set in one domain and read in
other. It looks configurable but since it is my server w/o no other
users and I'm using database for sessions, I tries just turning it off via
ini_set('suhosin.session.encrypt','0');
in my include that starts the session.
However, that didn't solve the problem. So I also added
ini_set('suhosin.cookie.encrypt','0');
but still no joy - session data set in one domain is wiped as soon as
the cookie is sent to another domain.
I'd really rather not remove the suhosin module, how can tell suhosin to
just leave my sessions the smurf alone?
OK - I seemed to have solved it.
The first issue - suhosin doesn't allow you to ini_set in a script -
that actually makes sense.
The real issue in my case was not different domains but different
document roots. Probably for shared server reasons, by default suhosin
uses the document root as part of its session encryption.
suhosin.session.cryptdocroot = Off
in the php.ini fixed the issue - and lets me keep the suhosin
transparent encryption (which has some session hijacking protection, so
is a good thing to have).
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
