Thread: [Phplib-users] Multi-domain sessions?
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
phplib-users
|
From: James S. <li...@br...> - 2002-05-12 14:45:16
|
I posted on this a while back but hadn't really thought through what I wanted to do. I have three sites which all share a single database and which I'd like to share a single shopping cart. The SSL certificate is only valid for one of the domains so I definitely need to be able to have that domain access carts started at either of the other sites. Two of the sites are on one server and the third is on another, along with the database. I'm using session4.inc and I'm guessing the best way to handle this would be to send three cookies when the user first visits any of the sites, one from each domain, each containing the session ID. I would then get the same session ID when the user went to any of the sites during that browser session. My initial attempt to do this involved hacking session4.inc so that if $cookie_domain is an array it sends a cookie from each domain listed but this doesn't appear to have worked. My sessions within one site have the same ID but when I move to either of the other sites I get a different ID. Any ideas? James. |
|
From: Walters J. P. <jw...@sa...> - 2002-05-12 15:05:24
|
Pardon my feeble attempt at an answer... I believe that w/ cookies you don't have much control over setting one for *another* domain. I think the most control you have is limiting it to the subdomain you're on (mybox.whatever.com) or the whole domain (*.whatever.com). So you need another way to pass around session id's between sites. Remember that the traditional way of pulling it from a cookie will be non-existent, so can you simply pass it in the URL? In any links between sites, add a variable to the url using the GET method (or POST i guess if you want to hide it), then on the destination site do that hack of session4.inc and set their session id to the one passed in. You will want to verify the HTTP_REFERER so that sessions can only be "hi-jacked" by your sites. Justin Walters Today @ 3:45pm, James Stewart typed.. > I posted on this a while back but hadn't really thought through what I > wanted to do. > > I have three sites which all share a single database and which I'd like > to share a single shopping cart. The SSL certificate is only valid for > one of the domains so I definitely need to be able to have that domain > access carts started at either of the other sites. Two of the sites are > on one server and the third is on another, along with the database. > > I'm using session4.inc and I'm guessing the best way to handle this > would be to send three cookies when the user first visits any of the > sites, one from each domain, each containing the session ID. I would > then get the same session ID when the user went to any of the sites > during that browser session. > > My initial attempt to do this involved hacking session4.inc so that if > $cookie_domain is an array it sends a cookie from each domain listed but > this doesn't appear to have worked. My sessions within one site have the > same ID but when I move to either of the other sites I get a different > ID. > > Any ideas? > > James. > > > _______________________________________________________________ > > Have big pipes? SourceForge.net is looking for download mirrors. We supply > the hardware. You get the recognition. Email Us: ban...@so... > _______________________________________________ > Phplib-users mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phplib-users > _______________________________________________________ 2 common misconceptions 0) Pain is bad. 1) Omniscience necessitates predestination. |
|
From: Richard A. <rh...@ju...> - 2002-05-13 00:12:31
|
At 10:05 AM -0500 12/5/02, Walters Justin Peter wrote: >so can you simply pass it in the URL? That's the way I'd do it too. >will want to verify the HTTP_REFERER so that sessions can only be >"hi-jacked" by your sites. HTTP_REFERER is supplied by the user and cannot be trusted. ...R. |
|
From: Walters J. P. <jw...@sa...> - 2002-05-13 00:38:16
|
> >will want to verify the HTTP_REFERER so that sessions can only be
> >"hi-jacked" by your sites.
>
> HTTP_REFERER is supplied by the user and cannot be trusted.
>
Are you then forced to do some kind of server-side authentication? How
vulnerable are your user accounts w/ this sort of hack in place? I'm just
wondering if the age of session id's renders further security pointless,
considering it would be very difficult to get a hold of a session id.
Possibly the biggest concern is for any pages on your site that already
end up putting the session id in the URL which would then show up on
referrer logs... which happens w/ all non-cookies browsers.
Justin
_______________________________________________________
2 common misconceptions
0) Pain is bad.
1) Omniscience necessitates predestination.
|
|
From: Richard A. <rh...@ju...> - 2002-05-13 03:27:02
|
At 7:38 PM -0500 12/5/02, Walters Justin Peter wrote: >> >will want to verify the HTTP_REFERER so that sessions can only be >> >"hi-jacked" by your sites. >> >> HTTP_REFERER is supplied by the user and cannot be trusted. >> > >Are you then forced to do some kind of server-side authentication? If you pass the session ID in the url, you are effectively doing server-side authentication, because (presumably) only the server and the client know the session ID. Assuming that is you're running an SSL connection... and that's the first thing to do when security is important! ...R. |
|
From: Michael C. <mdc...@mi...> - 2002-05-13 03:59:21
|
On Sun, May 12, 2002 at 03:45:07PM +0100, James Stewart wrote: > I posted on this a while back but hadn't really thought through what I > wanted to do. > > I have three sites which all share a single database and which I'd like > to share a single shopping cart. The SSL certificate is only valid for > one of the domains so I definitely need to be able to have that domain > access carts started at either of the other sites. Two of the sites are > on one server and the third is on another, along with the database. > > I'm using session4.inc and I'm guessing the best way to handle this > would be to send three cookies when the user first visits any of the > sites, one from each domain, each containing the session ID. I would > then get the same session ID when the user went to any of the sites > during that browser session. > > My initial attempt to do this involved hacking session4.inc so that if > $cookie_domain is an array it sends a cookie from each domain listed but > this doesn't appear to have worked. My sessions within one site have the > same ID but when I move to either of the other sites I get a different > ID. Just some general thoughts. First, you can't set or read cookies from other domains. If you wanted to go that way, the only way to really do it would be to set the cookie and redirect to the other two domains, basically a redirect circle that would end up on the first site again. I wouldn't recommend that. If you want to use the same session, and can get to the session information from all three (note that I strongly suggest using the file based sessioning for php4), then you can do what you want and pass the session id as part of each cross-site url. You should have some logic on the other sites to check the refering url on the way in. While it's true that it can be spoofed, and that doesn't make it more secure, it does keep it from being accidently passed in from another site (i.e. someone posts a link on another site that includes a session id). Also note that the same security issue exists on any given site, anyway. If someone nabs your session id while you're logged in, they can take over your session easily. Anyway, if you don't feel safe just passing the session id, you can always use a shared key encryption scheme to pass information from one domain to another through url's. I just don't know what you'd gain in that case. Michael -- Michael Darrin Chaney mdc...@mi... http://www.michaelchaney.com/ |
Thanks for helping keep SourceForge clean.
X