suhosin forum is currently down so I can't ask there.

I'm using https for login but the rest of the site is not https is regular is https

I set the session cookie this way:


Works beautifully w/o suhosin - the login can happen on secure server and then set the necessary session bits for the insecure server to know user is authenticated.

First issue was session data encryption, which is suppose to be transparent but doesn't appear to be if set in one domain and read in other. It looks configurable but since it is my server w/o no other users and I'm using database for sessions, I tries just turning it off via


in my include that starts the session.

However, that didn't solve the problem. So I also added


but still no joy - session data set in one domain is wiped as soon as the cookie is sent to another domain.

I'd really rather not remove the suhosin module, how can tell suhosin to just leave my sessions the smurf alone?

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to