Session cookies and database sessions
Moderator: General Moderators
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
Session cookies and database sessions
Here is my pickle. My companies website has the main domain and many subdomains, each for a different language so basically we have http://www.domain.com, de.domain.com, pt.domain.com, etc. To keep the sessions working properly I have made all sessions cookie sessions and that has solved all problems.
Now we have added a new domain, newstuff.org which is on the same server and everything. No problems. The problem is though that if the user is logged in on domain.com I need him to be logged in on newstuff.org as well. For the life of me I can't think of how to do this.
I have though about just serializing the session into a database every page load and using the session id as the key but I can't get a cookie that I set on domain.com to be read on newstuff.org (yes, I set the domain when I set the cookie and nope, no go).
What would be the best course of action given this situation?
Now we have added a new domain, newstuff.org which is on the same server and everything. No problems. The problem is though that if the user is logged in on domain.com I need him to be logged in on newstuff.org as well. For the life of me I can't think of how to do this.
I have though about just serializing the session into a database every page load and using the session id as the key but I can't get a cookie that I set on domain.com to be read on newstuff.org (yes, I set the domain when I set the cookie and nope, no go).
What would be the best course of action given this situation?
- Christopher
- Site Administrator
- Posts: 13596
- Joined: Wed Aug 25, 2004 7:54 pm
- Location: New York, NY, US
Re: Session cookies and database sessions
Maybe set the cookie with the IP address rather than using a domain name?
(#10850)
Re: Session cookies and database sessions
You can't do such things because it's plain XSS 
I think you can use page redirects to accomplish this. And maybe the approach can be used for sites on different servers (i.e. different IPs).
I succeeded doing it this way:
A.com/index.php
B.com/passport.php
Now... we must decide how secure it is 
Maybe the thread should be moved into "PHP security" forum section.
EDIT: A challenge string and HMAC-ed data sent in the GET query string together with ordinary data will secure some of the issues I can think of so far.
I think you can use page redirects to accomplish this. And maybe the approach can be used for sites on different servers (i.e. different IPs).
I succeeded doing it this way:
A.com/index.php
Code: Select all
<?php
if (!empty($_GET['sid']))
{
session_id($_GET['sid']);
session_start();
header('Location: http://A.com/index.php');
exit();
}
else
{
session_start();
if (empty($_SESSION['logged']))
{
header('Location: http://B.com/passport.php');
exit();
}
}
print_r($_SESSION);
?>Code: Select all
session_start();
$_SESSION['logged'] = true;
$_SESSION['user'] = 'prob';
header('Location: http://A.com/index.php?sid='.session_id());
exit();Maybe the thread should be moved into "PHP security" forum section.
EDIT: A challenge string and HMAC-ed data sent in the GET query string together with ordinary data will secure some of the issues I can think of so far.
Last edited by VladSun on Fri Mar 11, 2011 4:15 am, edited 2 times in total.
There are 10 types of people in this world, those who understand binary and those who don't
- shiznatix
- DevNet Master
- Posts: 2745
- Joined: Tue Dec 28, 2004 5:57 pm
- Location: Tallinn, Estonia
- Contact:
Re: Session cookies and database sessions
I don't like the idea of just header-ing between the 2, that would give errors and whatnot and plus we don't so much care about the new one as its just a front for the old one which is our main site.
The only thing I can think of is for 1 of the domains to be able to set a cookie for the other domain then use database sessions but I can't seam to set a cookie for newstuff.org set from domain.com. From what I have read it should be possible but honestly, it just does not work for me (FF3 latest ubuntu release)
I can't imagine there being 0 way of doing this, maybe there is some function I can override in php that, when setting a session or changing a session it also changes another domains sessions. It is a dedicated server and all, I have all control over it so maybe there is something somewhere.
The only thing I can think of is for 1 of the domains to be able to set a cookie for the other domain then use database sessions but I can't seam to set a cookie for newstuff.org set from domain.com. From what I have read it should be possible but honestly, it just does not work for me (FF3 latest ubuntu release)
I can't imagine there being 0 way of doing this, maybe there is some function I can override in php that, when setting a session or changing a session it also changes another domains sessions. It is a dedicated server and all, I have all control over it so maybe there is something somewhere.
Re: Session cookies and database sessions
? What errors?shiznatix wrote:I don't like the idea of just header-ing between the 2, that would give errors
There are 10 types of people in this world, those who understand binary and those who don't
Re: Session cookies and database sessions
Vlads approach is the only way I'm familiar with to have cross domain cookies. The domain policies pretty much restrict other possibilities
Re: Session cookies and database sessions
Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Cross-domain single sign-on
Here are some more technologies we should at least be aware of:André D wrote:Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Security Assertion Markup Language
Web Single Sign-On Metadata Exchange Protocol
Web Single Sign-On Interoperability Profile specification
WS-Federation
OpenID
Re: Session cookies and database sessions
Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
Re: Session cookies and database sessions
It's OK, but it would require JavaScript to be enabled.josh wrote:Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
There are 10 types of people in this world, those who understand binary and those who don't