Daniel Brown wrote:
> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo<kolb0...@umn.edu> wrote:
>> Hello,
>> How does one continue a php session on a different domain (domain B)
>> than the domain (domain A) that started the session?
>     Simple answer: you don't.
>     Extended answer: you can, but only if the domains reside on the
> same physical host, or in a setup where one domain can read the
> physical files of another across hosts.  When you store information in
> a $_SESSION array, it stores one key (the PHPSESSID value) in a cookie
> on the client side, and then stores what is supposed to be a
> more-secure version of the cookie - containing all of the stored data
> - as a flat file on the server side (usually in /tmp or ~/tmp).  As
> such, you shouldn't be able to read them from a different domain....
> unless your host is insecure, in which you won't have to worry only
> about this, but also full cross-site-scripting vulnerabilities.  Other
> options would be "parking" or doing an "addon" domain, or something of
> the like.  However, this all gets more into operating system and
> network security, and HTTP server configurations.
>     Combined answer: you can, but you should really re-evaluate your
> code and current capabilities before trying to do so.  You may even
> want to consider setting up a trust relationship with a centralized
> database such as MySQL to allow the second domain to READ ONLY from
> the first.  Check in the database on the first domain to see if a user
> is logged in, if they were active within the last x
> (seconds|minutes|hours), and from what IP they were logged in.  If
> things seem to match up, write the $_SESSION variables for login
> without prompting the user to re-authenticate manually.

Thanks for the responses.

Re: Simple answer
I thought of another example.  My bank's website.  I sign-in and
authenticate with "bank.com".  Then, i click credit card from bank.com
and i'm redirected to "creditcard.com" without me having to reinput
user/pass.  They clearly do it (granted they have a lot more resources
then I do, but i'd still like to know how they are doing it).

Re: extended answer
Not that i'd be able to do this, but what type of software is required
to set up two remote physical hosts that can share files?  Can this be
accomplished through apache or perhaps plugging in some network app into

I don't fully understand how 'parking/addon' domains would accomplish
the goal.  Would you explain this option a bit more thoroughly please?

Re: combined answer
The trust relationship idea is what i have to work with.  However, i am
not using IP addresses for authentication as I was told this could
alienate legitimate users and that IPs may be easily masked.  Thus, i
was thinking about using a one-time-access token passed in the url
(essentially the same idea as the password verification links sent to
email in-boxes).  Once the user enters domain B with the one time access
token, compare this token with last activity time via MySQL.  Then if
all looks okay to set a cookie with the same sesion ID as was
established on domain A.  As request time on domain A and subsequent
request time on domain B are very close together I could require that
the IPs stay consistent during that short-lived time frame.
Does the above all seem reasonable (though headache prone)?  I'm curious
to hear your two cents.

I am also curious to know how the big boys do this type of thing.  Do
you have any links, software applications names, or other types of
keywords i could use to research about this type of thing?

Thanks for your time,

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to