Re: [Phplib-users] Multi-domain sessions?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] Multi-domain sessions?
|
From: Michael C. <mdc...@mi...> - 2002-05-13 03:59:21
|
On Sun, May 12, 2002 at 03:45:07PM +0100, James Stewart wrote: > I posted on this a while back but hadn't really thought through what I > wanted to do. > > I have three sites which all share a single database and which I'd like > to share a single shopping cart. The SSL certificate is only valid for > one of the domains so I definitely need to be able to have that domain > access carts started at either of the other sites. Two of the sites are > on one server and the third is on another, along with the database. > > I'm using session4.inc and I'm guessing the best way to handle this > would be to send three cookies when the user first visits any of the > sites, one from each domain, each containing the session ID. I would > then get the same session ID when the user went to any of the sites > during that browser session. > > My initial attempt to do this involved hacking session4.inc so that if > $cookie_domain is an array it sends a cookie from each domain listed but > this doesn't appear to have worked. My sessions within one site have the > same ID but when I move to either of the other sites I get a different > ID. Just some general thoughts. First, you can't set or read cookies from other domains. If you wanted to go that way, the only way to really do it would be to set the cookie and redirect to the other two domains, basically a redirect circle that would end up on the first site again. I wouldn't recommend that. If you want to use the same session, and can get to the session information from all three (note that I strongly suggest using the file based sessioning for php4), then you can do what you want and pass the session id as part of each cross-site url. You should have some logic on the other sites to check the refering url on the way in. While it's true that it can be spoofed, and that doesn't make it more secure, it does keep it from being accidently passed in from another site (i.e. someone posts a link on another site that includes a session id). Also note that the same security issue exists on any given site, anyway. If someone nabs your session id while you're logged in, they can take over your session easily. Anyway, if you don't feel safe just passing the session id, you can always use a shared key encryption scheme to pass information from one domain to another through url's. I just don't know what you'd gain in that case. Michael -- Michael Darrin Chaney mdc...@mi... http://www.michaelchaney.com/ |
