Re: [PHP] Cross-Site Sesison ID Propagation
Stefen,
There is no built-in way to do what you are speaking about here (that I
know of), but there is a pretty easy technique. However, even this
requires a lot of work to integrate into your existing code, but it will
ease all future additions and maintenance.
Keep a variable called something like $next_query_string (so you don't
confuse it with the current one - you can just use $query or something
if you prefer brevity), and keep up with any and all variables that you
may need to include in all of your external links to other affiliated sites.
For example:
$next_query_string=sid=1234567;
For all links where you're wanting to include the session ID in the URL,
build them as follows:
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
I'm sure this seems like just as much work, but once in place, your
development will be much easier.
This will also allow you to add conditional logic to which sites receive
the special sauce in their URL. :-)
if (in_array(www.site3.com, $hosts_allow))
{
?
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
?
}
else
{
?
a href=http://www.site3.com/;Site 3/a
?
}
This will also allow you to make global changes to how you handle this
cross-domain session management. I wrote an extensive CDSM specification
for the USPS to use (if you ever notice, many of their services are
not in the usps.com domain) that leverages the HTTP protocol to maintain
*some* security. I would recommend that you also consider passing
additional information on the URL that is, for example, some encrypted
information about the client that would at least be somewhat challenging
to spoof. This would make it more difficult for someone to impersonate
your user, since more than just the session ID on the URL would be
necessary. How secure you want to make this needs to be balanced with
your performance requirements, of course, because checks do take time.
Just a suggestion.
Happy hacking.
Chris
Stefen Lars wrote:
Hello all fellow-hackers
I am working on a project that includes a number of web sites, which
are grouped together into one network. Kind of like the 'OSDN'
network, of which Slashdot.org, for example, is a member.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
I made an error in my explanation (below). The reason you don't want to
include the query string separator character in your variable is to
allow flexibility with the types of URLs you can easily integrate this
in with. My example should have looked like this:
a href=http://www.site3.com/?? echo $next_query_string; ?Site 3/a
The same conditional logic can be used. This allows for URLs that
already have a query string to be addressed as follows:
a href=http://www.site3.com/index.php?task=incoming;? echo
$next_query_string; ?Site 3/a
Happy hacking.
Chris
Chris Shiflett wrote:
Stefen,
There is no built-in way to do what you are speaking about here (that
I know of), but there is a pretty easy technique. However, even this
requires a lot of work to integrate into your existing code, but it
will ease all future additions and maintenance.
Keep a variable called something like $next_query_string (so you don't
confuse it with the current one - you can just use $query or something
if you prefer brevity), and keep up with any and all variables that
you may need to include in all of your external links to other
affiliated sites.
For example:
$next_query_string=sid=1234567;
For all links where you're wanting to include the session ID in the
URL, build them as follows:
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
I'm sure this seems like just as much work, but once in place, your
development will be much easier.
This will also allow you to add conditional logic to which sites
receive the special sauce in their URL. :-)
if (in_array(www.site3.com, $hosts_allow))
{
?
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
?
}
else
{
?
a href=http://www.site3.com/;Site 3/a
?
}
This will also allow you to make global changes to how you handle this
cross-domain session management. I wrote an extensive CDSM
specification for the USPS to use (if you ever notice, many of their
services are not in the usps.com domain) that leverages the HTTP
protocol to maintain *some* security. I would recommend that you also
consider passing additional information on the URL that is, for
example, some encrypted information about the client that would at
least be somewhat challenging to spoof. This would make it more
difficult for someone to impersonate your user, since more than just
the session ID on the URL would be necessary. How secure you want to
make this needs to be balanced with your performance requirements, of
course, because checks do take time.
Just a suggestion.
Happy hacking.
Chris
Stefen Lars wrote:
Hello all fellow-hackers
I am working on a project that includes a number of web sites, which
are grouped together into one network. Kind of like the 'OSDN'
network, of which Slashdot.org, for example, is a member.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
Hello Chris
And thank you for your comments and suggestions.
I think that the solution you offer is a great idea. However, in my case, I
may not be able to implement it as I, as the webmaster, do not always get
the chance to add $next_query_string to the a href. Some of the cross-site
links are added to discussion forums by the users.
I will try making a wrapper function that makes the special sauce links in
the normal body of the pages. That will just leave the cross site links in
the forum. May be I will be able to implement a special solution for the
forum
May I asked what CDSM specification is
I am not familiar with the term.
Thanks again for your comments. They have been really helpful to me.
Stefen
From: Chris Shiflett [EMAIL PROTECTED]
To: Chris Shiflett [EMAIL PROTECTED]
CC: Stefen Lars [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [PHP] Cross-Site Sesison ID Propagation
Date: Mon, 08 Jul 2002 17:31:02 -0500
I made an error in my explanation (below). The reason you don't want to
include the query string separator character in your variable is to allow
flexibility with the types of URLs you can easily integrate this in with.
My example should have looked like this:
a href=http://www.site3.com/?? echo $next_query_string; ?Site 3/a
The same conditional logic can be used. This allows for URLs that already
have a query string to be addressed as follows:
a href=http://www.site3.com/index.php?task=incoming;? echo
$next_query_string; ?Site 3/a
Happy hacking.
Chris
Chris Shiflett wrote:
Stefen,
There is no built-in way to do what you are speaking about here (that I
know of), but there is a pretty easy technique. However, even this
requires a lot of work to integrate into your existing code, but it will
ease all future additions and maintenance.
Keep a variable called something like $next_query_string (so you don't
confuse it with the current one - you can just use $query or something if
you prefer brevity), and keep up with any and all variables that you may
need to include in all of your external links to other affiliated sites.
For example:
$next_query_string=sid=1234567;
For all links where you're wanting to include the session ID in the URL,
build them as follows:
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
I'm sure this seems like just as much work, but once in place, your
development will be much easier.
This will also allow you to add conditional logic to which sites receive
the special sauce in their URL. :-)
if (in_array(www.site3.com, $hosts_allow))
{
?
a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a
?
}
else
{
?
a href=http://www.site3.com/;Site 3/a
?
}
This will also allow you to make global changes to how you handle this
cross-domain session management. I wrote an extensive CDSM specification
for the USPS to use (if you ever notice, many of their services are not
in the usps.com domain) that leverages the HTTP protocol to maintain
*some* security. I would recommend that you also consider passing
additional information on the URL that is, for example, some encrypted
information about the client that would at least be somewhat challenging
to spoof. This would make it more difficult for someone to impersonate
your user, since more than just the session ID on the URL would be
necessary. How secure you want to make this needs to be balanced with your
performance requirements, of course, because checks do take time.
Just a suggestion.
Happy hacking.
Chris
Stefen Lars wrote:
Hello all fellow-hackers
I am working on a project that includes a number of web sites, which are
grouped together into one network. Kind of like the 'OSDN' network, of
which Slashdot.org, for example, is a member.
_
Send and receive Hotmail on your mobile device: http://mobile.msn.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
Stefen Lars wrote: I think that the solution you offer is a great idea. However, in my case, I may not be able to implement it as I, as the webmaster, do not always get the chance to add '$next_query_string' to the a href. Some of the cross-site links are added to discussion forums by the users. In that case, it might be worth looking into Apache's mod_rewrite by Ralph Engelschall. However, being able to wrap this up cleanly in the way you are wanting is going to require some fairly sophisticated coding on your part. Someone else can maybe give more direction in this area, as you might have access to some API functions in Apache to where you could write your own PHP extension and at least stay within the realm of PHP. This is, however, beyond my area of expertise, so I won't try to offer suggestions here. I do think this is the right tool to research to at least get you started. May I asked what 'CDSM specification' is... I am not familiar with the term. CDSM is just an acronym cross-domain session management. Sorry for being ambiguous. I hate when people do that. :-) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
