Most users will block cookies if they don't provide them with any
functionality but login cookies and session cookies usually are
related to certain functionality. I would advice not passing the
session id through the url because it could easily be hijacked. AS
easy as your users hitting your site and then going to another site
the new site would get the referal url with the session id. Unless you
bind the session to an ip to add a bit more protection I would advise
against it. No back into your issue. It think the memcache extension
uses a namespace together with the sessio management so even though
you are passing the same session id its on a different namespace based
on the host. I cannot prove this for i have not seen the code but this
used to be an issue i found back in the days using eaccelerator to
share values among several domains in the same host. What i currently
do to share sessions in several domain is i Use my own session handler
that uses memcache and mysql. and to pass my session to another domain
i create a temporary token that i bind to the information on the
current session not the session itself i redirect to the new domain
using that token when hitting new domain with token i fetch
information from db and recreate the session in the new domain with a
different session id. you can go either way same session id or
different session id. but dont pass it through the url pass a unique
token that once the session has been established in the new domain
invalidates the token so i cant be stolen through xss
T
On Jun 6, 2008, at 8:18 AM, Benjamin Fonze wrote:
Yep, I know how to do it with cookies, works pretty good, but I
realized a big percentage of users block cookies, so I prefer not to
use them.
I do pass the session ID through the URL, but somehow, it still
consider it as a new session when jumping from one domain to the
other.
Benja.
On Fri, Jun 6, 2008 at 4:50 PM, Robert Swarthout <[EMAIL PROTECTED]
> wrote:
The only other reliable way that I have seen used is to pass the
session id through the URL which search engines frown against.
On 6/6/08 10:47 AM, "Benjamin Fonze" <[EMAIL PROTECTED]> wrote:
Correct. Since so many users block cookies nowadays...
On Fri, Jun 6, 2008 at 4:41 PM, Robert Swarthout <[EMAIL PROTECTED]
> wrote:
When you say, "without using cookies" are you also implying that you
do not want to use session cookies?
On 6/6/08 10:03 AM, "Benjamin Fonze" <[EMAIL PROTECTED] <http://[EMAIL PROTECTED]
> > wrote:
Hi all,
I'm using memcached to manage the PHP sessions (among other things)
and it works great.
Now, I'm trying to share a session from my main domain, to a sub-
domain. (without using cookies)
I'm passing the session ID from one domain to the other, and set it
using session_id() however, the session is still another one, a new
one. (With the same session ID)
Is it because of sessions security? Is there a way to share a
session between different subdomains without using cookies?
Thanks for your help!
Cheers,
Benja.
