Page 1 of 2

Setting cookies for a different site?

Posted: Tue Jan 30, 2007 4:15 pm
by Mad0Driver
Hello Everyone-

I am new to php programming and I had a few questions. I was wondering if there was any way to set a cookie for a different site? I am using a phpBB forum, and using its login interface to allow only logged in viewers to see certain pages. What i wanted to do was make the login process secure. Unfortuanately, my web host allows for use of a shared secure server, but its address is very different from that of my site. When i do the login there, it sets the cookies there, and so it is no good for the rest of the site. Is there any way around this? Can i set a cookie whose sole purpose is to be used on a different site?


Thanks in advance

Posted: Tue Jan 30, 2007 4:17 pm
by Kieran Huggins
nope... cookies are per-domain.

You could try to bridge the two by storing data in a shared mysql database maybe...

Posted: Tue Jan 30, 2007 4:30 pm
by boo_lolly
actually, i think this can be done... but you'd have to know the domain that the site uses to set their cookies with, as well. it's usually something unique so cookies don't get crossed between sites... which is exactly what you're trying to do, i think. so, check out this tutorial:
http://w3schools.com/php/php_cookies.asp
it may shed some light on things.

Posted: Tue Jan 30, 2007 4:33 pm
by feyd
It is not possible unless you are using a poorly written browser. It is a security hole that can easily open yourself up to a LOT of harm.

Posted: Tue Jan 30, 2007 4:41 pm
by Mad0Driver
Thats what i was afraid of. I do not want security holes, thats for sure, but i dont know any other way to secure the login data. None of the forum sites i know are protected by ssl, but i wanted to be secure. I suppose a shared mysql database may work, but if my database is installed on example.com, how can i direct information to it from secureexample.com? Are there any other ways to transfer this info? Would a hidden form work?

Thanks for your replies.

Posted: Tue Jan 30, 2007 5:02 pm
by Kieran Huggins
You'll have to allow the foreign host to connect (usually an option in your webhost control panel) and then just MySQL_connect('example.com','username','password');

Posted: Tue Jan 30, 2007 5:07 pm
by Mad0Driver
How secure would that be? I would have to transfer the session info. Hm, when i log on to the ssl, it sends the info to my database, the username, etc. I would then need to extract that to get the proper data, but how do you verify the Id of the person on the other end? Sure, i could send the info to my database, but once it gets there, how can i say, this info is this user? there is no identifying factor. I can not send it in a cookie or in a session.

Thanks

Posted: Tue Jan 30, 2007 5:19 pm
by feyd
In the URL. I would not use the session id itself. Instead I'd use a one-time token in the URL with a database record attached that associates to whatever end level information you require.

Posted: Tue Jan 30, 2007 5:27 pm
by Mad0Driver
Okay, so after log in, a randomly generated #, or some specific data, say the username, is echoed into the url like example.com?<?php echo info?>. Something like this, right? and then how do i get the data from the url?

After getting the data, i can SELECT*FROM database where info = xyz, correct? When one logs on in the phpBB board, it uses

$userdata = session_pagestart($user_ip, PAGE_LOGIN);
init_userprefs($userdata);

one of these lines, im not sure which,

to get the user's information. How could i call that up so i can have that? Certain users have different preferences and i would need to keep those throughout.

Thank you for your help.

Posted: Tue Jan 30, 2007 5:38 pm
by Kieran Huggins
Maybe you could store the session variable and then share the session... anyone ever done this?

Posted: Tue Jan 30, 2007 5:40 pm
by feyd
One-time means only useful once, for a limited time. So a username or anything else that doesn't change is not one.

Integration with phpBB isn't all that complicated. Well, it can be, but on the simplest level, it's fairly simple: copying the majority of the page start up code found on most phpBB interface pages will yield basic integration. At that point you will have access to the phpBB functionality so you can check the various flags it uses as indicators of logged in status and so forth.

Posted: Tue Jan 30, 2007 5:50 pm
by Mad0Driver
feyd-

I see your point. What kind of one-time only thing were you thinking of? i suppose you couls store the sessid but that would be stupid, wouldnt it? I already have my site integrated with phpBB, but what i do not know is how to get all the data that it normally uses. How would you set up a one-time only thing? maybe give it an expiration time of 10 seconds? But can you give and expiration time to a url object? or to something in mysql? What i am trying to figure out at this point is what i could transfer in the url and how to i read the info in the url? I can tell it to echo "info" in the url, but how does the other page read "info"?

kieran-

i think transmitting the SID would kinda ruin the point, wouldnt it? Also, i read that it wasnt possible for PHP to transmit SID's between sites.

Thank you both

Posted: Tue Jan 30, 2007 5:53 pm
by Kieran Huggins
I was thinking about storing the SID in the db and transmitting a token to retrieve it depending on an IP check maybe. Still not sure if it's possible, but it would sure solve a lot of your problems!

EDIT: yep - it's possible after all

Posted: Tue Jan 30, 2007 6:15 pm
by Mad0Driver
Kieran-

I followed the theory- barely

But i have absolutely no idea how to go about doing that. What is a centralised ID issuing server? And that is just one of many questions. :D Could you possibly break it down a little?

After reading that article, i started googling.

Would setting the cookie for two different domains work? Sort of like this guy is trying
http://www.webmasterworld.com/forum88/10041.htm

It also seems to be the argument here

http://www.sitepoint.com/forums/showthread.php?t=440649

But only on the first link does it appear to tell you how.

Thanks

Posted: Tue Jan 30, 2007 6:44 pm
by Kieran Huggins
Someone correct me if I'm mistaken, but you can "join" an existing session by using session_start($session_id) - right? So in this case, you would store the SID in a database along with their current IP and a unique db ID. then you send them a hash of all three, they send it back to your other domain, you compare it against your recent database records, find the line that matches, compare their IP with the one in the database, then start the session with the SID in the db. Presto, change-o: shared session.

Disclaimer: I've never done this, it just seems to make sense to me (as do many nonsensical things...)