Page 1 of 1

Session cookies and database sessions

Posted: Mon Feb 09, 2009 9:09 am
by shiznatix
Here is my pickle. My companies website has the main domain and many subdomains, each for a different language so basically we have http://www.domain.com, de.domain.com, pt.domain.com, etc. To keep the sessions working properly I have made all sessions cookie sessions and that has solved all problems.

Now we have added a new domain, newstuff.org which is on the same server and everything. No problems. The problem is though that if the user is logged in on domain.com I need him to be logged in on newstuff.org as well. For the life of me I can't think of how to do this.

I have though about just serializing the session into a database every page load and using the session id as the key but I can't get a cookie that I set on domain.com to be read on newstuff.org (yes, I set the domain when I set the cookie and nope, no go).

What would be the best course of action given this situation?

Re: Session cookies and database sessions

Posted: Mon Feb 09, 2009 10:16 am
by Christopher
Maybe set the cookie with the IP address rather than using a domain name?

Re: Session cookies and database sessions

Posted: Mon Feb 09, 2009 12:25 pm
by VladSun
You can't do such things because it's plain XSS :)

I think you can use page redirects to accomplish this. And maybe the approach can be used for sites on different servers (i.e. different IPs).

I succeeded doing it this way:

A.com/index.php

Code: Select all

<?php
 
if (!empty($_GET['sid']))
{
    session_id($_GET['sid']);
    session_start();
    header('Location: http://A.com/index.php');
    exit();
}
else
{
    session_start();
    if (empty($_SESSION['logged']))
    {
        header('Location: http://B.com/passport.php');
        exit();
    }
}
print_r($_SESSION);
 
?>
B.com/passport.php

Code: Select all

 
session_start();
$_SESSION['logged'] = true;
$_SESSION['user'] = 'prob';
 
header('Location: http://A.com/index.php?sid='.session_id());
exit();
Now... we must decide how secure it is :)
Maybe the thread should be moved into "PHP security" forum section.

EDIT: A challenge string and HMAC-ed data sent in the GET query string together with ordinary data will secure some of the issues I can think of so far.

Re: Session cookies and database sessions

Posted: Tue Feb 10, 2009 9:40 am
by shiznatix
I don't like the idea of just header-ing between the 2, that would give errors and whatnot and plus we don't so much care about the new one as its just a front for the old one which is our main site.

The only thing I can think of is for 1 of the domains to be able to set a cookie for the other domain then use database sessions but I can't seam to set a cookie for newstuff.org set from domain.com. From what I have read it should be possible but honestly, it just does not work for me (FF3 latest ubuntu release)

I can't imagine there being 0 way of doing this, maybe there is some function I can override in php that, when setting a session or changing a session it also changes another domains sessions. It is a dedicated server and all, I have all control over it so maybe there is something somewhere.

Re: Session cookies and database sessions

Posted: Tue Feb 10, 2009 12:18 pm
by VladSun
shiznatix wrote:I don't like the idea of just header-ing between the 2, that would give errors
? What errors?

Re: Session cookies and database sessions

Posted: Tue Feb 10, 2009 12:24 pm
by Eran
Vlads approach is the only way I'm familiar with to have cross domain cookies. The domain policies pretty much restrict other possibilities

Re: Session cookies and database sessions

Posted: Wed Feb 11, 2009 1:46 am
by André D
Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.

Cross-domain single sign-on

Posted: Thu Feb 19, 2009 1:24 am
by André D
André D wrote:Read this PDF. It's J2EE-specific but the concepts apply just the same. Do a Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Here are some more technologies we should at least be aware of:

Security Assertion Markup Language
Web Single Sign-On Metadata Exchange Protocol
Web Single Sign-On Interoperability Profile specification
WS-Federation
OpenID

Re: Session cookies and database sessions

Posted: Thu Feb 19, 2009 3:25 am
by josh
Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently

Re: Session cookies and database sessions

Posted: Thu Feb 19, 2009 3:54 pm
by VladSun
josh wrote:Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
It's OK, but it would require JavaScript to be enabled.