Session cookies and database sessions

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Session cookies and database sessions

Post by shiznatix »

Here is my pickle. My companies website has the main domain and many subdomains, each for a different language so basically we have http://www.domain.com, de.domain.com, pt.domain.com, etc. To keep the sessions working properly I have made all sessions cookie sessions and that has solved all problems.

Now we have added a new domain, newstuff.org which is on the same server and everything. No problems. The problem is though that if the user is logged in on domain.com I need him to be logged in on newstuff.org as well. For the life of me I can't think of how to do this.

I have though about just serializing the session into a database every page load and using the session id as the key but I can't get a cookie that I set on domain.com to be read on newstuff.org (yes, I set the domain when I set the cookie and nope, no go).

What would be the best course of action given this situation?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: Session cookies and database sessions

Post by Christopher »

Maybe set the cookie with the IP address rather than using a domain name?
(#10850)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Session cookies and database sessions

Post by VladSun »

You can't do such things because it's plain XSS :)

I think you can use page redirects to accomplish this. And maybe the approach can be used for sites on different servers (i.e. different IPs).

I succeeded doing it this way:

A.com/index.php

Code: Select all

<?php
 
if (!empty($_GET['sid']))
{
    session_id($_GET['sid']);
    session_start();
    header('Location: http://A.com/index.php');
    exit();
}
else
{
    session_start();
    if (empty($_SESSION['logged']))
    {
        header('Location: http://B.com/passport.php');
        exit();
    }
}
print_r($_SESSION);
 
?>
B.com/passport.php

Code: Select all

 
session_start();
$_SESSION['logged'] = true;
$_SESSION['user'] = 'prob';
 
header('Location: http://A.com/index.php?sid='.session_id());
exit();
Now... we must decide how secure it is :)
Maybe the thread should be moved into "PHP security" forum section.

EDIT: A challenge string and HMAC-ed data sent in the GET query string together with ordinary data will secure some of the issues I can think of so far.
Last edited by VladSun on Fri Mar 11, 2011 4:15 am, edited 2 times in total.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
shiznatix
DevNet Master
Posts: 2745
Joined: Tue Dec 28, 2004 5:57 pm
Location: Tallinn, Estonia
Contact:

Re: Session cookies and database sessions

Post by shiznatix »

I don't like the idea of just header-ing between the 2, that would give errors and whatnot and plus we don't so much care about the new one as its just a front for the old one which is our main site.

The only thing I can think of is for 1 of the domains to be able to set a cookie for the other domain then use database sessions but I can't seam to set a cookie for newstuff.org set from domain.com. From what I have read it should be possible but honestly, it just does not work for me (FF3 latest ubuntu release)

I can't imagine there being 0 way of doing this, maybe there is some function I can override in php that, when setting a session or changing a session it also changes another domains sessions. It is a dedicated server and all, I have all control over it so maybe there is something somewhere.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Session cookies and database sessions

Post by VladSun »

shiznatix wrote:I don't like the idea of just header-ing between the 2, that would give errors
? What errors?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Session cookies and database sessions

Post by Eran »

Vlads approach is the only way I'm familiar with to have cross domain cookies. The domain policies pretty much restrict other possibilities
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Re: Session cookies and database sessions

Post by André D »

Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
André D
Forum Commoner
Posts: 55
Joined: Thu Aug 28, 2008 7:03 pm

Cross-domain single sign-on

Post by André D »

André D wrote:Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Here are some more technologies we should at least be aware of:

Security Assertion Markup Language
Web Single Sign-On Metadata Exchange Protocol
Web Single Sign-On Interoperability Profile specification
WS-Federation
OpenID
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Session cookies and database sessions

Post by josh »

Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Session cookies and database sessions

Post by VladSun »

josh wrote:Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
It's OK, but it would require JavaScript to be enabled.
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply