I'm not sure if this is even possible.
My company has their main site that accept credit cards and other payment information. They also have other sites that are directly related to events we host. For example our main site is something like:
http://www.etm124biz.com
But have another site specifically for an annual event:
http://www.etm124annualgala.com
My 'event' site is handling registration and saves to our database, but our main site handles the credit card processing. With current purchases handled on the main website, sessions are used to pass data to the payment/cc screens.
Without having to change my payment code (to accept, say, $_GET parameters), shouldn't my $_SESSION
variables be passing over?
Example:
$_SESSION['s_address1'] = $_POST['address1']; $_SESSION['s_address2'] = $_POST['address2']; $_SESSION['s_city'] = $_POST['city']; $_SESSION['s_state'] = $_POST['state']; $_SESSION['s_zip'] = $_POST['zip']; header('Location: https://www.etm124biz.com/payment.php?oid=' . $oid . '&src=conf&id=' . $seq);
My payment.php
page looks for the address session variables above.
Assume you have both domains as virtual servers on one machine and you havent called session_save_path() (or you have called it with the same directory on both servers), you can share sesssion using session_id('..'); For example if you have 2 domains, origin1. localhost and origin2.
Session variables are stored in associative array called $_SESSION[]. These variables can be accessed during lifetime of a session. The following example starts a session then register a variable called counter that is incremented each time the page is visited during the session.
Sessions are significantly safer than, say, cookies. But it is still possible to steal a session and thus the hacker will have total access to whatever is in that session. Some ways to avoid this are IP Checking (which works pretty well, but is very low fi and thus not reliable on its own), and using a nonce.
You can keep changing the value in the session - but it will only be able to be used after the first page - meaning if you set it in page 1, you will not be able to use it until you get to another page or refresh the page.
Session ids are passed around using cookies by default. Since your websites are on different domains the session cookie does not transfer over, so that's one thing that prevents cross-domain sessions from working.
One technique to have the session ids transfer over is to append them to the query string of all your requests (PHP even has some degree of built-in support for this). However, this way of doing things has many drawbacks -- the most important being that people copy/paste URLs all the time, with all that implies about revealing valid and reusing invalid session ids -- and therefore is not recommended.
A much better approach would be to use Javascript to make cross-domain requests across all of the interested domains (which would need to be cooperating in this of course). This way you can seamlessly transfer your session id across as many servers as you need to.
Even if the cookie were not a problem, you would need to have the session data on some storage commonly accessible by all your servers. The default storage is the local filesystem, so again this is something that needs to change if you want cross-domain sessions.
A simple solution to this problem would be to use a custom session handler that stores the data on a database or other globally accessible store.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With