Sessions and shared SSL

**salewit** · 03-16-2005, 11:41 PM

I've run into a problem that I'm not sure how to fix. I'm creating a shopping cart in PHP from scratch and using Jag's shared SSL. We'll eventually get our own SSL, but for now we're stuck with this.

I've got no problems using sessions, but when I pass from our domain to the shared SSL, the session is lost, so I have to pass the session ID in the URL. This works ok. The big problem is that the merchant we're using needs to know the EXACT URL that is sending it the data. With the session ID added to the URL, we're in a sense passing a different URL every time and the merchant rejects the transaction.

Any ideas on how to deal with this aside from getting our own SSL?

Thanks,
Sam

**Vin DSL** · 03-17-2005, 12:56 AM

Originally Posted by salewit

Any ideas...

Look, I'm way out of my league here, and I'll probably get cut to ribbons for saying this, but I'll tell you what I think of the situation. Play along with me, or ignore me, your choice...

I'm a HAM operator, since the last century. These HAM jackballs make you be proficient in Morse Code, to be in the upper HAM classes, even though it hasn't been used in like 50 years. It's what they call "right-of-passage", with all the implications...

CERTS are a "right-of-passage" too, from what I've witnessed! You know it, and so do I, and so do 'they'...

The fact of the matter is, you're probably gonna have to sh!t or get off the pot immediately. I think the days of standing with one foot in a pot of boiling water, and the other in a bucket of ice are over, due to all the abuses of the past. Shared CERTS don't count for jack unless you are using them for your own purposes, like hiding your username and password from your employer, local librarian, et cetera.

Now... some ppl will tell you that you can get a CERT for free, and you probably can. I've seen them in all price ranges, from $0 to $500/yr. with all sorts of benefits. You probably have too. Whatever!

Knowing NOTHING about all this CERT stuff, except what I've read, I believe that if you want to do it right, you need to jump into the deep end of the pool, get a real CERT, and go from there. If you aren't willing to do that, I doubt if any reputable company is going to want anything to do with you.

Sorry if that sounds austere, but I think that's pretty much the way it is...

Bottom line: Quit playing 'house' and buy a real CERT. Contact JagPC Tech Services and have them set it up for you.

**Gwaihir** · 03-17-2005, 10:03 AM

Are you really "stuck with this"? At about $50/year SSL certificates aren't overly expensive compared to what you will likely pay for the merchant gateway for credit card processing. They also don't take very long to set up. So really: save yourself the trouble.

Yes, the session is lost, because the domain in the URL changes (from yoursite.com to serveraddy.com), but nothing is stopping you from setting up a fresh cookie based session on that "new" url. You found a way to pass on who's moving from one to the other, so all you need to do is give him a new cookie based session on the SSL connection, taking that session ID out of the URL again.

**salewit** · 03-17-2005, 10:29 AM

Sheesh.... I should have known I was going to get a sermon on this.

Look. I'm supposed to build this cheesy e-site for a customer. It was due a month ago. He called a few days ago upset that it wasn't done because he just came from a trade show and customers needed to place their orders. I told him I'd have something ready TODAY (Thursday) that will work until we get things fine tuned. It's all my fault. I just need something to work in the interim.

That's why I'm stuck. I'm sure something like this has never happened to anyone else, but it's happened to me so I'm doing the best I can to deal with it. When I get this worked out and can breathe again, I'll get the SSL cert.

BTW, thanks for the cookie idea. It works fine

**Ron** · 03-17-2005, 12:59 PM

Originally Posted by salewit

Sheesh.... I should have known I was going to get a sermon on this.

.... ..
.... ..
.... ..

.._.
._.
_ _ _
_ _

..._
..
_.
.._ _..

._..
_ _ _
._..

___ . _____

**Vin DSL** · 03-17-2005, 04:36 PM

Originally Posted by Ron

.... ..
.... ..
.... ..

.._.
._.
_ _ _
_ _

..._
..
_.
.._ _..

._..
_ _ _
._..

___ . _____

.... ..
.... ..

...-
.
.-.
-.--

-..
.-.
---
.-..
.-..

.-.
---
-.

.-.-.-

**gerilya** · 03-19-2005, 04:24 AM

I think you guys need to scroll down for forums in foreign languages

**Gwaihir** · 03-19-2005, 08:17 AM

I dunno.. it is plain English, just a bit of a weird "character set"

-.-.
....
.
.
.-.
...

.-.-.-.-

LinkBack

Thread Tools

Display

Sessions and shared SSL

Bookmarks

Bookmarks

Posting Permissions