PHP : session variable aren't usable when site is redirected

StackOverflow https://stackoverflow.com/questions/38370

  •  09-06-2019
  •  | 
  •  

Question

I've to admin a small website for my alumni group which is hosted by my ISV. The url is something like www.myIsv.com/myWebSite/ which is quite ugly and very forgetable. The main admin of the webserver has registered a domain name www.mysmallwebsite.com and put a index.html with this content:

<html>
<head>
<title>www.mysmallwebsite.com</title>
</head>

<frameset>
   <frame src="http://www.myIsv.com/myWebSite/" name="redir">
      <noframes>
        <p>Original location:
          <a href="www.myIsv.com/myWebSite/">http://www.myIsv.com/myWebSite/</a>
        </p>
      </noframes>
 </frameset>  
</html>

It works fine, but some features like PHP Session variables doesn't work anymore! Anyone has a suggestion for correcting that?

Edit: This doesn't work both on IE and on Firefox (no plugins)

Thanks

Was it helpful?

Solution

Sessions are tied to the server AND the domain. Using frameset across domain will cause all kind of breakage because that's just not how it was designed to do.

Try using apache mod rewrite to create a "passthrough redirection", the "proxy" flag ([P]) in the rule is the magic flag that you need

Documentation at http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html

OTHER TIPS

What do you mean? Are you saying that when you go from www.mysmallwebsite.com to www.myIsv.com/myWebSite/ then the PHP session is lost?

PHP recognizes the session with an ID (alpha-numeric hash generated on the server). The ID is passed from request to request using a cookie called PHPSESSID or something like that (you can view the cookies a websites sets with the help of your browser ... on Firefox you have Firebug + FireCookie and the wonderful Web Developer Toolbar ... with which you can view the list of cookies without a sweat).

So ... PHP is passing the session ID through the PHPSESSID cookie. But you can pass the session ID as a plain GET request parameters.

So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...

www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>

I haven't worked with PHP for a while, but I think this will work.

Do session variables work if you hit http://www.myIsv.com/myWebSite/ directly? It would seem to me that the server config would dictate whether or not sessions will work. However, if you're starting a session on www.mysmallwebsite.com somehow (doesn't look like you're using PHP, but maybe you are), you're not going to be able to transfer session data without writing some backend logic that moves the session from server to server.

Stick a session_start() at the beginning of your script and see if you can access the variables again.

It's not working because on the client sessions are per-domain. All the cookies are being saved for mysmallwebsite.com, so myIsv.com cannot access them.

@pix0r www.myIsv.com/myWebSite/ -> session variable work www.mysmallwebsite.com -> session variable doesn't work

@Alexandru Unfortunately this is not on the same webserver

What browser/ ad-on do you have? it may be your browser or some other software (may be even the web server) is blocking the sessions from http://www.myIsv.com/myWebSite/ working from with-in the frame, as its located on a different site, thinking its an XSS attack.

If the session works at http://www.myIsv.com/myWebSite/ with out the frame you could always us a redirect from http://www.mysmallwebsite.com to the ugly url, instead of using the frame.

EDIT: I have just tried your frame code on a site of mine that uses sessions, firefox worked fine, with me logging in and staying loged in, but IE7 logged me straight out again.

So when you place the html link to the ugly domain name, assuming that it is the same PHP server (with the same sessions initialized), you can put it like this ...

www.myIsv.com/myWebSite/?PHPSESSID=<?=session_id()?>

From a security point of view, I really really really hope that doesn't work

You could also set a cookie on the user-side and then check for the presence of that cookie directly after redirecting, which if you're bothered about friendly URLs would mean that you don't have to pass around a PHPSESSID in the query string.

When people arrive @ www.mysmallwebsite.com I would just redirect to http://www.myIsv.com/myWebSite/

<?php header('Location: http://www.myIsv.com/myWebSite/'); ?>

This is all I would have in www.mysmqllwebsite.com/index.php
This way you dont have to worry about browsedr compatibility, or weather the sessions work, just do the redirct, and you'll be good.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top