Well, if you're using your own session_save_handler you can always use a database on server A... Just let the script on server B log in on server A, and store the info in the database. Then you can just pass the session ID in the URL...

Not a bad idea :)

I'm a bit concerned about passing the session handle in the url though. Won't anyone who types in the same url be able to hijack the session?

Still I could pass the handle as POST data instead I suppose.

Got any good library examples of a mySql based session_save_handler?

We don't have any here at WebmasterWorld, as far as I know. There are several examples on the net, but they've all seemed to have some issues. So, here's what I use. Change the bold to whatever your settings/preferences are.

---

<?php
session_set_save_handler("SessionStart", "SessionEnd", "SessionRead", "SessionWrite", "SessionDestroy", "SessionGarbageCollect");

$id = session_id();
$lifetime = get_cfg_var("session.gc_maxlifetime");

function SessionStart($session_save_path,$session_name) {
mysql_pconnect("host","username","password") or die("Can't connect to MySQL server!");
mysql_select_db("database") or die("Can't select MySQL sessions database");
}

function SessionEnd() {
return 1;
}

function SessionRead($id) {
$result = mysql_query("SELECT data FROM sessions WHERE sessionid='".session_id()."' AND expires>".time());

if($result && mysql_num_rows($result)) {
$var = mysql_fetch_row($result);
$temp = $var[0];
return $temp;
}

else {
global $whatever;
global $lifetime;
$expires = time()+$lifetime;
$result = mysql_query("INSERT INTO sessions (sessionid,expires,data) VALUES('".session_id()."','$expires','$whatever')");
return "";
}

}

function SessionWrite($id,$whatever) {
global $lifetime;
$expires = time()+$lifetime;
$result = mysql_query("UPDATE sessions SET expires='$expires',data='$whatever' WHERE sessionid='".session_id()."' AND expires>".time());
}

function SessionDestroy($id) {
$result = mysql_query("DELETE FROM sessions WHERE sessionid='".session_id()."'");
}

function SessionGarbageCollect($lifetime) {
$result = mysql_query("DELETE FROM sessions WHERE expires<".time());
}
?>

---

The variable name $whatever should be something that is hard for others to guess, but makes sense to you.

You'll have to do this to decode the session variables on subsequent pages:

session_start();
session_decode($temp);

As far as table structure, this works for me:

sessionid - varchar(32), primary key
expires - int(11)
data - text

Actually, you should be able to use it without sessions too (even though that would be less safe) by just using

include

to grab the page from server A

Nice one, thanks for the code Doc. :)

Not sure if I want to go down this road or not though. Seems an overly complex solution somehow.

just using include to grab the page from server A

Yeah that would be the easiest solution... but (there is always a 'but' isn't there?) server B is a shared server with a shared server certificate and a common url.

i.e. The urls look like https:/secure.acommerceserver.com/my_username/ rather than http:/www.my_username.com

So the resulting pages would have ugly, off-site urls. Which would no doubt confuse my users (who are non-technical doctor types).

Well, once the session handling is set up it takes care of itself :)

As for ugly URL, why not have the first page on server A redirect?

header("Location: whatever.html");

Echoing DrDoc, using header(), you could choose to do a double-redirect to clean up the URL once the user is returned to A.

Not 100% sure, but with redirects, you might get those pesky "you are being taken to/from a secure site" messages.