Page 1 of 1
Session cookies and database sessions
Posted: Mon Feb 09, 2009 9:09 am
by shiznatix
Here is my pickle. My companies website has the main domain and many subdomains, each for a different language so basically we have
http://www.domain.com, de.domain.com, pt.domain.com, etc. To keep the sessions working properly I have made all sessions cookie sessions and that has solved all problems.
Now we have added a new domain, newstuff.org which is on the same server and everything. No problems. The problem is though that if the user is logged in on domain.com I need him to be logged in on newstuff.org as well. For the life of me I can't think of how to do this.
I have though about just serializing the session into a database every page load and using the session id as the key but I can't get a cookie that I set on domain.com to be read on newstuff.org (yes, I set the domain when I set the cookie and nope, no go).
What would be the best course of action given this situation?
Re: Session cookies and database sessions
Posted: Mon Feb 09, 2009 10:16 am
by Christopher
Maybe set the cookie with the IP address rather than using a domain name?
Re: Session cookies and database sessions
Posted: Mon Feb 09, 2009 12:25 pm
by VladSun
You can't do such things because it's plain XSS
I think you can use page redirects to accomplish this. And maybe the approach can be used for sites on different servers (i.e. different IPs).
I succeeded doing it this way:
A.com/index.php
Code: Select all
<?php
if (!empty($_GET['sid']))
{
session_id($_GET['sid']);
session_start();
header('Location: http://A.com/index.php');
exit();
}
else
{
session_start();
if (empty($_SESSION['logged']))
{
header('Location: http://B.com/passport.php');
exit();
}
}
print_r($_SESSION);
?>
B.com/passport.php
Code: Select all
session_start();
$_SESSION['logged'] = true;
$_SESSION['user'] = 'prob';
header('Location: http://A.com/index.php?sid='.session_id());
exit();
Now... we must decide how secure it is

Maybe the thread should be moved into "PHP security" forum section.
EDIT: A challenge string and HMAC-ed data sent in the GET query string together with ordinary data will secure some of the issues I can think of so far.
Re: Session cookies and database sessions
Posted: Tue Feb 10, 2009 9:40 am
by shiznatix
I don't like the idea of just header-ing between the 2, that would give errors and whatnot and plus we don't so much care about the new one as its just a front for the old one which is our main site.
The only thing I can think of is for 1 of the domains to be able to set a cookie for the other domain then use database sessions but I can't seam to set a cookie for newstuff.org set from domain.com. From what I have read it should be possible but honestly, it just does not work for me (FF3 latest ubuntu release)
I can't imagine there being 0 way of doing this, maybe there is some function I can override in php that, when setting a session or changing a session it also changes another domains sessions. It is a dedicated server and all, I have all control over it so maybe there is something somewhere.
Re: Session cookies and database sessions
Posted: Tue Feb 10, 2009 12:18 pm
by VladSun
shiznatix wrote:I don't like the idea of just header-ing between the 2, that would give errors
? What errors?
Re: Session cookies and database sessions
Posted: Tue Feb 10, 2009 12:24 pm
by Eran
Vlads approach is the only way I'm familiar with to have cross domain cookies. The domain policies pretty much restrict other possibilities
Re: Session cookies and database sessions
Posted: Wed Feb 11, 2009 1:46 am
by André D
Read
this PDF. It's J2EE-specific but the concepts apply just the same. Do a
Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Cross-domain single sign-on
Posted: Thu Feb 19, 2009 1:24 am
by André D
André D wrote:Read
this PDF. It's J2EE-specific but the concepts apply just the same. Do a
Google search for "cross domain single sign on" and you'll find several approaches, but the successful ones are essentially all the same and, as VladSun suggests, rely on a series of redirects.
Here are some more technologies we should at least be aware of:
Security Assertion Markup Language
Web Single Sign-On Metadata Exchange Protocol
Web Single Sign-On Interoperability Profile specification
WS-Federation
OpenID
Re: Session cookies and database sessions
Posted: Thu Feb 19, 2009 3:25 am
by josh
Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
Re: Session cookies and database sessions
Posted: Thu Feb 19, 2009 3:54 pm
by VladSun
josh wrote:Make a login subdomain, generate a random phrase from a private key, pass it via ajax, have it authenticate on the login server, send an encoded message back and match it back against the private key, then set a cookie and redirect to secure area transparently
It's OK, but it would require JavaScript to be enabled.