On Tue, Sep 1, 2009 at 2:22 AM, Behzad <behzad.esl...@gmail.com> wrote:

> Dear list,
> i'm trying to integrate two php-driven web applications, which both
> require the user to authenticate using a username and a password.
> Consider a situation where the user has logged-in to the 1st application.
> She
> clicks over a hyper-link, which directs her to the 2nd application. The
> challenge
> is to automatically authenticate the user on the 2nd application as well.
> i'm wondering how?
> Is it secure to store the username and password in the $_SESSION, and
> share the session between the two applications?
> Please let me know what do you think.
> Thank you in advance,
> -behzad

The best approach to shared sessions are, commonly, database driven, but
this can vary depending on your site/network topology.

If the two sites are in the same server (and the server is unique) you can
share sessions, but this is risky, so you have to develop with this issue in
mind, let's say avoid things like this.

$_SESSION[ 'something' ] = $somewhat; # you can be, probably, breaking the
other app

If you have more than just one web server, or you are planning to scale it
later, then the database driven fits better.
You need to share a cookie between both sites, often the "session_id", and
store the user-session info in a table.
If the user logs-in -no matter in which site- an entry on the user-session
table is set with the cookie and the user id.
When the user logs-out this entry is removed, and the user is not able to
navigate to private areas in both sites.

Avoid doing things like a form-post from SiteA to SiteB. This kind of things
only make holes to your application security system.
User credentials MUST not be handled at client-side. Keep them safetily at
server-side where you are who decide which action should be taken.

Martin Scotta

Reply via email to