Michael A. Peters wrote:
suhosin forum is currently down so I can't ask there.

I'm using https for login but the rest of the site is not https

www.domain.com is regular
secure.domain.com is https

I set the session cookie this way:


Works beautifully w/o suhosin - the login can happen on secure server and then set the necessary session bits for the insecure server to know user is authenticated.

First issue was session data encryption, which is suppose to be transparent but doesn't appear to be if set in one domain and read in other. It looks configurable but since it is my server w/o no other users and I'm using database for sessions, I tries just turning it off via


in my include that starts the session.

However, that didn't solve the problem. So I also added


but still no joy - session data set in one domain is wiped as soon as the cookie is sent to another domain.

I'd really rather not remove the suhosin module, how can tell suhosin to just leave my sessions the smurf alone?

OK - I seemed to have solved it.
The first issue - suhosin doesn't allow you to ini_set in a script - that actually makes sense.

The real issue in my case was not different domains but different document roots. Probably for shared server reasons, by default suhosin uses the document root as part of its session encryption.

suhosin.session.cryptdocroot = Off

in the php.ini fixed the issue - and lets me keep the suhosin transparent encryption (which has some session hijacking protection, so is a good thing to have).

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to