On Monday 13 July 2009 14:15:18 Bob McConnell wrote:
> From: Daniel Kolbo
> > Daniel Brown wrote:
> >> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo<kolb0...@umn.edu> wrote:
> >>> Hello,
> >>>
> >>> How does one continue a php session on a different domain (domain B)
> >>> than the domain (domain A) that started the session?
> >>
> >>     Simple answer: you don't.
> >
> > Thanks for the responses.
> >
> > Re: Simple answer
> > I thought of another example.  My bank's website.  I sign-in and
> > authenticate with "bank.com".  Then, i click credit card from bank.com
> > and i'm redirected to "creditcard.com" without me having to reinput
> > user/pass.  They clearly do it (granted they have a lot more resources
> > then I do, but i'd still like to know how they are doing it).
> My bank also does this, but it only works if Javascript is enabled when
> I first log in. Otherwise the initial login fails and I do it again on
> the second site. I haven't actually looked at the page sources to see
> what they do. But I have NoScript configured to block all JS by default
> so the initial login attempt always fails. It also reports blocked XSS
> attempts on both pages. So whatever they are doing does not appear to be
> very safe.
> Bob McConnell

Just a thought, but as the session ID normally gets automatically added to the 
header request by a browser, could you not add it into the form itself as you 
move from one domain to another?

Afaik, PHP tends to prefer the PHPSESSID as an element in the $_COOKIE array 
(or the $_REQUEST array which is made up from the cookie as well) so you 
might be able to do some clever playing around to achieve the effect?


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to