#74 Domain wide Session Cookie - Single Sign on

[GedM]

We use several installations of MRBS across several subdomains. One of the domains uses the DB auth scheme, all other subdomains use the db_ext scheme. This allows all users to be stored in one mrbs_user table. We use the session cookie setting due to an issue with php sessions timing out on our shared hosting.
To make life easier for the users I would like to allow a single login to access all sites. I have made the following changes to achieve this:
In config.inc.php on each site:
1. set $auth["session_cookie"]["secret"] to the same value.
2. add $auth["session_cookie"]["domain"] = '.mydomain.com';

In session_cookie.inc in each site (session directory):
1. at line 254 change

setcookie("SessionToken",
                "${hash}_".base64_encode($json_data),
                $expiry_time,
                $cookie_path);` 

to

setcookie("SessionToken",
                "${hash}_".base64_encode($json_data),
                $expiry_time,
                $cookie_path,
                $auth['session_cookie']['domain']);

I also recommend adding $auth["session_cookie"]["domain"] = ''; to the systemdefaults.inc.php. This will ensure you don't break anything if you don't set $auth["session_cookie"]["domain"] in the config.inc.php file.

It seems to work well. Are there any flaws to this approach?

[GedM]

I found an issue with the changes above. Log Off does not work. Do the following to fix the issue:
in session_cookie.inc change function logoff_user() from:

function logoff_user()
{
  // Delete cookie
  $cookie_path = get_cookie_path();
  setcookie("SessionToken", '', time()-42000, $cookie_path);
}

to

function logoff_user()
{
  // Delete cookie
  global $auth;
  $cookie_path = get_cookie_path();
  setcookie("SessionToken", '', time()-42000, $cookie_path, $auth["session_cookie"]["domain"]);
}

[John Beranek]

Sounds like a reasonable improvement. Myself or Campbell will have a bit more of a think/test and look at adding the config option.