Hi There, I've stumbled across a problem with a shopping cart I've recently developed. It basically works by snatching the users session_id(), storing that in a MySQL Database, along with the product they add to the cart. ie. <?php session_start(); $sessid = session_id(); ... $sql = "INSERT INTO carttemp SET session_id = '$sessid', item_id = '$id', item_size = '$size', item_quantity = '$quanity"; ...?> Code (markup): When it comes times for the user to checkout, they get transferred to a secure HTTPS connection. The customer is then provided with a run down of what's in their cart - with code as simple as: <?php session_start(); $sessid = session_id(); $query = "SELECT * FROM carttemp WHERE session_id = '$sessid'"; ...?> Code (markup): As you can see the reference point is always the session_id There are no variables stored in sessions, I am simply using the session_id to match the data stored in the temporary database with the user. 90 % of the time this code works fine. However, I have had a few reports that customers will add items to their cart, click on order (which changes them to HTTPS connection) and suddenly their cart will be empty! I've been able to replicate this problem, but only using Firefox 1.5 on PC and only sometimes (very strange!!) In these cases, it would appear that changing from HTTP to HTTPS generates a new session_id . Most of the time the session_id remains the same whether in HTTP or HTTPS, and you can jump back and forward, without dramas. Does anyone know why this would be working sometimes, but not all the time, and how I can best avoid it from happening all together? Keeping in mind that onces in HTTPS, the user might jump back to HTTP and vice versa - the whole time I will need some sort of reference point to match items stored in the cart database with the customer who put them there! Can I store the session_id in a cookie that can be accessed in both HTTP and HTTPS? And how would I reference and make sure I'm getting the right cookie without being able to use the session_id ? Or can I simply just scrap sessions and use cookies all together? There will be no sensitive date (well no data at all really) stored in the cookie, it is simply a means of linking a customer to their products whilst they are still browsing/ordering. Or is there a way to simply maintain the session_id between HTTP and HTTPS? I would prefer to avoid a solution that requires the SID be sent through URL, POST or GET, as it would require huge amounts of re-coding. Thanks in advances for anyone that can help me out with this situation! Dogen
You can Encrypt (know your key of course) the sessionid in the HTTPS, and send it as a URL Variable. After that you can decrypt it to come up with the session id. But that is an interesting situation - I'm eager to see if this works or what real solution there is to this
Is your SSL site on a different URL or server? If your SSL site is on the same server/hostname than it might be a client issue. If you can, try to make your site function as http://sitename.com transfers to https://sitename.com I had a similar issue when my SSL url was https://sitename.com and my site was http://www.sitename.com. When you transfer hostnames your session is clearned. The session is based on the hostname. I don't know if that's what is happening, but a shot in the dark Otherwise you will have to send some form of your sessionid in a variable.
I think you might be onto it! What appears to be happening, is that users are accessing the site via http://sitename.com (rather than http://www.sitename.com) and as soon as they click on CHECKOUT, they are being to transferred to https://www.sitename.com/ Interesting to note however, that it still only seems to occur on Firefox 1.5 on Windows. Is there some quick code I can add to the header which will force the user to be at http://www.sitename.com? Thanks for helping with this!
Well, create .htaccess file and add this code to it: Options +FollowSymlinks RewriteEngine On RewriteCond %{HTTP_HOST} !^www\..* [nc] RewriteRule ^(.*) http://www.%{HTTP_HOST}/$1 [NC,R=301,L] Code (markup): But I am pretty sure that you have to use URL query string to pass parameters from http to https as those are two different applications that do not share session.