Page 1 of 1

Persisting Session data over 2 domains

Posted: Fri Jul 21, 2006 6:53 am
by determinedmoth
I have a multi-geographic site running on 1 central server. For example I have the following domains pointing to folders within the site root;

domain.co.uk = /site/uk
domain.co.za = /site/za
domain-admin.com = /site/admin

They all use global authentication scripts, and the requirement is that the administrator can log in via domain-admin.com, and session data will carry over all 3 domains.

For now, I can only log in the user under the parent URL.

I'm reluctant to use cookies, or pass the Session ID via the URL.

I have full control over the server, php.ini / apache etc and can edit pretty much anything to make it work.

I hope that makes sense, and thank you.

Posted: Fri Jul 21, 2006 8:28 am
by feyd
You have to pass the session ID via the URL. There's no way around it. Cookies won't transfer across domains, you can't rely on their IP, etc.

Posted: Fri Jul 21, 2006 8:38 am
by determinedmoth
Ok.
I was hoping there would be some hack in Apache to do this.

Thank you.

Posted: Fri Jul 21, 2006 11:01 am
by Ward
You can't read cookies from other domains, but you are allowed to specify the domain when setting a cookie. What about something like this:

When a user logs in successfully, instead of only setting a cookie for the site he is on, why not set cookies for the other domains as well? Each cookie would need a unique name, but it should work.

Posted: Fri Jul 21, 2006 11:03 am
by RobertGonzalez
I don't think that's possible. I thought cookies would only set if the domain/path was on the domain setting the cookie. I could be wrong about this though.

Posted: Fri Jul 21, 2006 11:08 am
by determinedmoth
I've tried sending the SID via the URL, but this doesn't work across different URL's either.

I was playing with this:

Code: Select all

ini_set('session.referer_check', 'myothersite.com');
session_start();
echo $_SESSION['myvar'];
But it wont work.

Time for a drink. I'll come back to it monday!

Posted: Fri Jul 21, 2006 11:24 am
by Ward
I dont think it will work using the same session ID. I'm pretty sure your session ID is tied to the domain it was created for. It is possible to set a cookie for another domain, just not read one from another. For it to work, you'll probably need to create a custom cookie-based login system. I would probably write is as a class, for ease of use.

Posted: Fri Jul 21, 2006 11:31 am
by feyd
It's not possible to write cookies for other domains. That would be a massive security hole in a browser if it allowed such an action. You may attempt it, but the browser will ignore the cookie.

Posted: Fri Jul 21, 2006 11:31 am
by determinedmoth
All the session data is, is the auth level of the user.

I guess when I "link" to the other sites, I could send the info via $_POST to a log in script on the other site.

Posted: Fri Jul 21, 2006 12:15 pm
by kbrown3074
I think the $_POST is probably the best way to do it.