Hi! I'm pretty new to programming so would really appreciate some advice on whether something is possible without compromising security too much.
It's probably best if I start by explaining what I've got at the moment then describe what I would like to do:
I am building the website for a new non-profit organisation. At the moment there are a few pages for members only but nothing terribly vital so I am simply using the login system from our phpBB forum via the standard sessions integration (kb article on phpbb site) to test if the user is logged in before displaying the private content.
I now need to create a page where members can view and change the personal details we hold about them, including name, address, date of birth etc - in other words, no financial details but still data that should be kept private. However, we only have access to a shared secure server so the secure connection has to go through a different domain.
What I would like to happen is that visitors must log into the main site as usual before they can go to the private details page. If they are already logged in to the main site then they must simply re-authenticate themselves once (by giving the password again, or possibly a personal question & answer) when they arrive at the secure page. If they try to go straight to the secure url without logging in to the main site first they should be directed to the main site login page to sign in there before being redirected back to the secure page where they will still have to re-authenticate themselves. In other words, they always have to log in twice to see their details, once through the standard forum login and once through the secure connection (hope that makes sense!).
So (finally getting to the point), what I would like to know is:
1) Is the above situation possible, given that the forum session would be set through mydomain.com and the re-authentication would be by secure-server/mydomain.com?
2) Is what I've described appropriate or should I just ask visitors to log in once to the secure page and not bother about whether they're already logged into the main site?
3) If it is both possible and desirable, how can it be done?
btw, we have no money so a dedicated server or security certificate just for our domain is not an option.
I would be very grateful for any advice or suggestions,
Thanks
Can you test if a session is valid from a different domain?
Moderator: General Moderators
-
missiemilla
- Forum Newbie
- Posts: 4
- Joined: Tue Apr 08, 2008 10:06 am
-
missiemilla
- Forum Newbie
- Posts: 4
- Joined: Tue Apr 08, 2008 10:06 am
Re: Can you test if a session is valid from a different domain?
Guess that was a stupid question then? Or maybe the wrong place to ask...
Re: Can you test if a session is valid from a different domain?
If I understood correctly, http://domain.com and https://domain.com are different machines. In that case you won't be able to use the same login session on both, and you would need to synchronise the login data. If they use the same database, it is possible to keep the sessions in the database (rtfm for that) and the first link from http to https to pass the session ID through the URL (the cookies won't work). Does this make sense, or I misunderstand your problem?missiemilla wrote:
1) Is the above situation possible, given that the forum session would be set through mydomain.com and the re-authentication would be by secure-server/mydomain.com?
2) Is what I've described appropriate or should I just ask visitors to log in once to the secure page and not bother about whether they're already logged into the main site?
3) If it is both possible and desirable, how can it be done?
-
missiemilla
- Forum Newbie
- Posts: 4
- Joined: Tue Apr 08, 2008 10:06 am
Re: Can you test if a session is valid from a different domain?
D'oh, simple really... did say I'm a newb 
I think the two domains must be on the same machine as I can access my database with 'localhost' from both the secure and non-secure pages. So I just have to check the session data in the database when they reach the secure page.
Thank you so much for the help!
Btw, what does rtfm mean?
I think the two domains must be on the same machine as I can access my database with 'localhost' from both the secure and non-secure pages. So I just have to check the session data in the database when they reach the secure page.
Thank you so much for the help!
Btw, what does rtfm mean?
Re: Can you test if a session is valid from a different domain?
If both are on the same machine, you won't need to use in-database sessions, the file-based ones will do fine, you just have to pass the SID manually, as the cookie won't work.
RTFM = read the .. ahem ... fine manual
It's the most common answer given to noobs, so here's another chance for you to learn
RTFM = read the .. ahem ... fine manual
It's the most common answer given to noobs, so here's another chance for you to learn
-
missiemilla
- Forum Newbie
- Posts: 4
- Joined: Tue Apr 08, 2008 10:06 am
Re: Can you test if a session is valid from a different domain?
Cheers!
Have spent hours trying to decipher that manual. I find it's really easy to work out what it means if you already know and almost impossible otherwise! At least I'll know if someone's telling me to look again though.
Have spent hours trying to decipher that manual. I find it's really easy to work out what it means if you already know and almost impossible otherwise! At least I'll know if someone's telling me to look again though.