[thelist] 'Hijacking' sessions

Lauri Väin lauri_lists at tharapita.com
Thu May 25 00:26:46 CDT 2006 

Hi,

Do I understand you correctly? On server 1 you collect the information to 
session variables and put them to the database. You redirect the user to the 
second server. But that server cannot access the same database where you 
wrote the information to, but you need to display that same information on 
the second information without the benefit of the database nor the session 
variables that are stored on the first server?

You really have four (five) major options:
1. Do PKI encryption, pass a signed token to the other server along with the 
GET/POST request and have it verify the session on the other end and 
reestablish it. You could also pass the data along in it. Or if it's a low 
security thing, then just pass the information in plain text.
2. Map the PHP sessions to a database or a memcache server if you have the 
option to. Or write your own custom session server - same thing.
3. On the second server, create a secure tunnel through the first server to 
the database, which would effectively mean you get access to the data in the 
database.
4. Use Zend Platform to take care of your session problems and build a 
session cluster between the two of your servers. This means that session 
variables on the first server are accessible by the second server, as long 
as the domain of the both servers is the same (or you can somehow 
reestablish the same cookie on the second server).
(5. Look into doing some filesystem magic and map your disks of both servers 
where sessions are stored to one server... but you still have to reestablish 
the session on the second server, which could nullify this effort and delete 
the data.)

Cheers,
Lauri

----- Original Message ----- 
From: "Nick Daverin" <ndaverin at marian.org>
To: <thelist at lists.evolt.org>
Sent: Tuesday, May 23, 2006 11:31 PM
Subject: [thelist] 'Hijacking' sessions


I was wondering if there is a way to pass session data between sites...
Sort-of Ohijacking¹ my own session. As an example: On the one site, we
collect donations. All data is stored as session variables until the
purchase is completed. Then info we save is sent to a completely unrelated
(non accessible) database. We would also like to give people the option of
visiting our gift shop before they checkout. Now this site is on a different
domain, so even if I pass the session id [using session_id($_GET[Osid¹]) for
example] the session variables I¹ve stored while on the first domain are
inaccessible so a user would have to check out twice. We use php on these
pages though some type of javascript solution could be implemented (as long
as I can explain how it works to my boss).

Thanks for any info!
-Nick
-- 

* * Please support the community that supports you.  * *
http://evolt.org/help_support_evolt/

For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !

More information about the thelist mailing list