Setting cookies for a different site?
Moderator: General Moderators
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
Setting cookies for a different site?
Hello Everyone-
I am new to php programming and I had a few questions. I was wondering if there was any way to set a cookie for a different site? I am using a phpBB forum, and using its login interface to allow only logged in viewers to see certain pages. What i wanted to do was make the login process secure. Unfortuanately, my web host allows for use of a shared secure server, but its address is very different from that of my site. When i do the login there, it sets the cookies there, and so it is no good for the rest of the site. Is there any way around this? Can i set a cookie whose sole purpose is to be used on a different site?
Thanks in advance
I am new to php programming and I had a few questions. I was wondering if there was any way to set a cookie for a different site? I am using a phpBB forum, and using its login interface to allow only logged in viewers to see certain pages. What i wanted to do was make the login process secure. Unfortuanately, my web host allows for use of a shared secure server, but its address is very different from that of my site. When i do the login there, it sets the cookies there, and so it is no good for the rest of the site. Is there any way around this? Can i set a cookie whose sole purpose is to be used on a different site?
Thanks in advance
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
actually, i think this can be done... but you'd have to know the domain that the site uses to set their cookies with, as well. it's usually something unique so cookies don't get crossed between sites... which is exactly what you're trying to do, i think. so, check out this tutorial:
http://w3schools.com/php/php_cookies.asp
it may shed some light on things.
http://w3schools.com/php/php_cookies.asp
it may shed some light on things.
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
Thats what i was afraid of. I do not want security holes, thats for sure, but i dont know any other way to secure the login data. None of the forum sites i know are protected by ssl, but i wanted to be secure. I suppose a shared mysql database may work, but if my database is installed on example.com, how can i direct information to it from secureexample.com? Are there any other ways to transfer this info? Would a hidden form work?
Thanks for your replies.
Thanks for your replies.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
How secure would that be? I would have to transfer the session info. Hm, when i log on to the ssl, it sends the info to my database, the username, etc. I would then need to extract that to get the proper data, but how do you verify the Id of the person on the other end? Sure, i could send the info to my database, but once it gets there, how can i say, this info is this user? there is no identifying factor. I can not send it in a cookie or in a session.
Thanks
Thanks
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
Okay, so after log in, a randomly generated #, or some specific data, say the username, is echoed into the url like example.com?<?php echo info?>. Something like this, right? and then how do i get the data from the url?
After getting the data, i can SELECT*FROM database where info = xyz, correct? When one logs on in the phpBB board, it uses
$userdata = session_pagestart($user_ip, PAGE_LOGIN);
init_userprefs($userdata);
one of these lines, im not sure which,
to get the user's information. How could i call that up so i can have that? Certain users have different preferences and i would need to keep those throughout.
Thank you for your help.
After getting the data, i can SELECT*FROM database where info = xyz, correct? When one logs on in the phpBB board, it uses
$userdata = session_pagestart($user_ip, PAGE_LOGIN);
init_userprefs($userdata);
one of these lines, im not sure which,
to get the user's information. How could i call that up so i can have that? Certain users have different preferences and i would need to keep those throughout.
Thank you for your help.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
One-time means only useful once, for a limited time. So a username or anything else that doesn't change is not one.
Integration with phpBB isn't all that complicated. Well, it can be, but on the simplest level, it's fairly simple: copying the majority of the page start up code found on most phpBB interface pages will yield basic integration. At that point you will have access to the phpBB functionality so you can check the various flags it uses as indicators of logged in status and so forth.
Integration with phpBB isn't all that complicated. Well, it can be, but on the simplest level, it's fairly simple: copying the majority of the page start up code found on most phpBB interface pages will yield basic integration. At that point you will have access to the phpBB functionality so you can check the various flags it uses as indicators of logged in status and so forth.
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
feyd-
I see your point. What kind of one-time only thing were you thinking of? i suppose you couls store the sessid but that would be stupid, wouldnt it? I already have my site integrated with phpBB, but what i do not know is how to get all the data that it normally uses. How would you set up a one-time only thing? maybe give it an expiration time of 10 seconds? But can you give and expiration time to a url object? or to something in mysql? What i am trying to figure out at this point is what i could transfer in the url and how to i read the info in the url? I can tell it to echo "info" in the url, but how does the other page read "info"?
kieran-
i think transmitting the SID would kinda ruin the point, wouldnt it? Also, i read that it wasnt possible for PHP to transmit SID's between sites.
Thank you both
I see your point. What kind of one-time only thing were you thinking of? i suppose you couls store the sessid but that would be stupid, wouldnt it? I already have my site integrated with phpBB, but what i do not know is how to get all the data that it normally uses. How would you set up a one-time only thing? maybe give it an expiration time of 10 seconds? But can you give and expiration time to a url object? or to something in mysql? What i am trying to figure out at this point is what i could transfer in the url and how to i read the info in the url? I can tell it to echo "info" in the url, but how does the other page read "info"?
kieran-
i think transmitting the SID would kinda ruin the point, wouldnt it? Also, i read that it wasnt possible for PHP to transmit SID's between sites.
Thank you both
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
I was thinking about storing the SID in the db and transmitting a token to retrieve it depending on an IP check maybe. Still not sure if it's possible, but it would sure solve a lot of your problems!
EDIT: yep - it's possible after all
EDIT: yep - it's possible after all
-
Mad0Driver
- Forum Newbie
- Posts: 10
- Joined: Tue Jan 30, 2007 4:00 pm
Kieran-
I followed the theory- barely
But i have absolutely no idea how to go about doing that. What is a centralised ID issuing server? And that is just one of many questions.
Could you possibly break it down a little?
After reading that article, i started googling.
Would setting the cookie for two different domains work? Sort of like this guy is trying
http://www.webmasterworld.com/forum88/10041.htm
It also seems to be the argument here
http://www.sitepoint.com/forums/showthread.php?t=440649
But only on the first link does it appear to tell you how.
Thanks
I followed the theory- barely
But i have absolutely no idea how to go about doing that. What is a centralised ID issuing server? And that is just one of many questions.
After reading that article, i started googling.
Would setting the cookie for two different domains work? Sort of like this guy is trying
http://www.webmasterworld.com/forum88/10041.htm
It also seems to be the argument here
http://www.sitepoint.com/forums/showthread.php?t=440649
But only on the first link does it appear to tell you how.
Thanks
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Someone correct me if I'm mistaken, but you can "join" an existing session by using session_start($session_id) - right? So in this case, you would store the SID in a database along with their current IP and a unique db ID. then you send them a hash of all three, they send it back to your other domain, you compare it against your recent database records, find the line that matches, compare their IP with the one in the database, then start the session with the SID in the db. Presto, change-o: shared session.
Disclaimer: I've never done this, it just seems to make sense to me (as do many nonsensical things...)
Disclaimer: I've never done this, it just seems to make sense to me (as do many nonsensical things...)