* Thus wrote [-^-!-%- ([EMAIL PROTECTED]): > > Hello everyone! > > What would cause a session value to be lost, under HTTPS?
what is the output of session_get_cookie_params() on the unsecure site vs. the secure site. > > NOTE: The regular server name is 'mydomain.net', but the secure server > name is 'secure-servename.net'. Would this affect the session function, > even though it's the same machine? Yes, this is what is causing the problem. The secure-servername doesn't have acces to the cookies (as you'll see from the above results). You'll have to pass the SESSIONID and ensure that the SESSIONID is valid on the secure server side assuming the domain resides on the same server: unsecure.php: $sharedkey = uniqid(mt_rand()); $_SESSION['goodsession'] = md5(SID . 'secretkey' . $sharedkey); $_SESSION['sharedkey'] = $sharedkey; ?> <a href="https://secureserver/<?php echo SID?>">secure server</a> secure.php: $sharedkey = $_SESSION['sharedkey']; $goodsession = md5(SID . 'secretkey' . $sharedkey); if ($goodsession != $_SESSION['goodsession']) { // bad session data. } Although not fool proof and certain conditions need to be met in order for this to work properly, but its just an example to ensure that the SESSION is the right one. Curt -- "My PHP key is worn out" PHP List stats since 1997: http://zirzow.dyndns.org/html/mlists/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
