First, yes i know this is a big security NONO. But the scenario is this;

In the checkout of a webshop i use a payment-gateway, which can proxy my checkout form through their SSL.

(following url’s is just the theory, other urls apply for the application)

The way it works, website redirects user to their https://gateway.org/secure-tunnel.php passing a url in the query like this ?url=http://myshop.com/cc-form.php <- needs to be urlencoded.

The secure-tunnel requests the url – sprinkle some magic on url in the document – and shows it to the user.

Now i want to pass the session ID to the cc-form.php url, and got that part working. BUT the requested page don’t pick up the session ID that is passed.

Any ideas on that?

The following is from my application.ini

resources.session.name = UPSSESSID
resources.session.save_path = APPLICATION_PATH "/../data/session"
resources.session.use_only_cookies = off
resources.session.referer_check = off
resources.session.remember_me_seconds = 864000

Also while researching i found that the Suoshin extension could be causing some problems, so i have added this to the .htaccess

php_flag suhosin.session.cryptua off

I use a route to my payment form

$this->_helper->url->url(array(session_name() => Zend_Session::getId()), 'payment')

EDIT: Possible, rather dodgy solution

I actually managed to restore the session by inserting this to _initApplication() in my bootstrap file. It’s rather dodgy, so if anyone knows of a better – more ZF’ish – way please advice!

    if(isset($_GET[$appConfig->resources->session->name])) {
        session_id($_GET[$appConfig->resources->session->name]);
    }

EDIT: DOH!

Well.. turns out previous edit is not needed. Just before i added the previous lines to the bootstrap i also changed the url layout.

Changed it from /pay/UPSSESSID/{session-id-here} to /pay?UPSSESSID={session-id-here} – And that was actually the root of the problem 🙁

Now i have removed the lines from the bootstrap and the sessionId i restored correctly.

My mistake!