Re: [PHP] Cross-Site Sesison ID Propagation
Stefen, There is no built-in way to do what you are speaking about here (that I know of), but there is a pretty easy technique. However, even this requires a lot of work to integrate into your existing code, but it will ease all future additions and maintenance. Keep a variable called something like $next_query_string (so you don't confuse it with the current one - you can just use $query or something if you prefer brevity), and keep up with any and all variables that you may need to include in all of your external links to other affiliated sites. For example: $next_query_string=sid=1234567; For all links where you're wanting to include the session ID in the URL, build them as follows: a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a I'm sure this seems like just as much work, but once in place, your development will be much easier. This will also allow you to add conditional logic to which sites receive the special sauce in their URL. :-) if (in_array(www.site3.com, $hosts_allow)) { ? a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a ? } else { ? a href=http://www.site3.com/;Site 3/a ? } This will also allow you to make global changes to how you handle this cross-domain session management. I wrote an extensive CDSM specification for the USPS to use (if you ever notice, many of their services are not in the usps.com domain) that leverages the HTTP protocol to maintain *some* security. I would recommend that you also consider passing additional information on the URL that is, for example, some encrypted information about the client that would at least be somewhat challenging to spoof. This would make it more difficult for someone to impersonate your user, since more than just the session ID on the URL would be necessary. How secure you want to make this needs to be balanced with your performance requirements, of course, because checks do take time. Just a suggestion. Happy hacking. Chris Stefen Lars wrote: Hello all fellow-hackers I am working on a project that includes a number of web sites, which are grouped together into one network. Kind of like the 'OSDN' network, of which Slashdot.org, for example, is a member. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
I made an error in my explanation (below). The reason you don't want to include the query string separator character in your variable is to allow flexibility with the types of URLs you can easily integrate this in with. My example should have looked like this: a href=http://www.site3.com/?? echo $next_query_string; ?Site 3/a The same conditional logic can be used. This allows for URLs that already have a query string to be addressed as follows: a href=http://www.site3.com/index.php?task=incoming;? echo $next_query_string; ?Site 3/a Happy hacking. Chris Chris Shiflett wrote: Stefen, There is no built-in way to do what you are speaking about here (that I know of), but there is a pretty easy technique. However, even this requires a lot of work to integrate into your existing code, but it will ease all future additions and maintenance. Keep a variable called something like $next_query_string (so you don't confuse it with the current one - you can just use $query or something if you prefer brevity), and keep up with any and all variables that you may need to include in all of your external links to other affiliated sites. For example: $next_query_string=sid=1234567; For all links where you're wanting to include the session ID in the URL, build them as follows: a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a I'm sure this seems like just as much work, but once in place, your development will be much easier. This will also allow you to add conditional logic to which sites receive the special sauce in their URL. :-) if (in_array(www.site3.com, $hosts_allow)) { ? a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a ? } else { ? a href=http://www.site3.com/;Site 3/a ? } This will also allow you to make global changes to how you handle this cross-domain session management. I wrote an extensive CDSM specification for the USPS to use (if you ever notice, many of their services are not in the usps.com domain) that leverages the HTTP protocol to maintain *some* security. I would recommend that you also consider passing additional information on the URL that is, for example, some encrypted information about the client that would at least be somewhat challenging to spoof. This would make it more difficult for someone to impersonate your user, since more than just the session ID on the URL would be necessary. How secure you want to make this needs to be balanced with your performance requirements, of course, because checks do take time. Just a suggestion. Happy hacking. Chris Stefen Lars wrote: Hello all fellow-hackers I am working on a project that includes a number of web sites, which are grouped together into one network. Kind of like the 'OSDN' network, of which Slashdot.org, for example, is a member. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
Hello Chris And thank you for your comments and suggestions. I think that the solution you offer is a great idea. However, in my case, I may not be able to implement it as I, as the webmaster, do not always get the chance to add $next_query_string to the a href. Some of the cross-site links are added to discussion forums by the users. I will try making a wrapper function that makes the special sauce links in the normal body of the pages. That will just leave the cross site links in the forum. May be I will be able to implement a special solution for the forum May I asked what CDSM specification is I am not familiar with the term. Thanks again for your comments. They have been really helpful to me. Stefen From: Chris Shiflett [EMAIL PROTECTED] To: Chris Shiflett [EMAIL PROTECTED] CC: Stefen Lars [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: [PHP] Cross-Site Sesison ID Propagation Date: Mon, 08 Jul 2002 17:31:02 -0500 I made an error in my explanation (below). The reason you don't want to include the query string separator character in your variable is to allow flexibility with the types of URLs you can easily integrate this in with. My example should have looked like this: a href=http://www.site3.com/?? echo $next_query_string; ?Site 3/a The same conditional logic can be used. This allows for URLs that already have a query string to be addressed as follows: a href=http://www.site3.com/index.php?task=incoming;? echo $next_query_string; ?Site 3/a Happy hacking. Chris Chris Shiflett wrote: Stefen, There is no built-in way to do what you are speaking about here (that I know of), but there is a pretty easy technique. However, even this requires a lot of work to integrate into your existing code, but it will ease all future additions and maintenance. Keep a variable called something like $next_query_string (so you don't confuse it with the current one - you can just use $query or something if you prefer brevity), and keep up with any and all variables that you may need to include in all of your external links to other affiliated sites. For example: $next_query_string=sid=1234567; For all links where you're wanting to include the session ID in the URL, build them as follows: a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a I'm sure this seems like just as much work, but once in place, your development will be much easier. This will also allow you to add conditional logic to which sites receive the special sauce in their URL. :-) if (in_array(www.site3.com, $hosts_allow)) { ? a href=http://www.site3.com/? echo $next_query_string; ?Site 3/a ? } else { ? a href=http://www.site3.com/;Site 3/a ? } This will also allow you to make global changes to how you handle this cross-domain session management. I wrote an extensive CDSM specification for the USPS to use (if you ever notice, many of their services are not in the usps.com domain) that leverages the HTTP protocol to maintain *some* security. I would recommend that you also consider passing additional information on the URL that is, for example, some encrypted information about the client that would at least be somewhat challenging to spoof. This would make it more difficult for someone to impersonate your user, since more than just the session ID on the URL would be necessary. How secure you want to make this needs to be balanced with your performance requirements, of course, because checks do take time. Just a suggestion. Happy hacking. Chris Stefen Lars wrote: Hello all fellow-hackers I am working on a project that includes a number of web sites, which are grouped together into one network. Kind of like the 'OSDN' network, of which Slashdot.org, for example, is a member. _ Send and receive Hotmail on your mobile device: http://mobile.msn.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Cross-Site Sesison ID Propagation
Stefen Lars wrote: I think that the solution you offer is a great idea. However, in my case, I may not be able to implement it as I, as the webmaster, do not always get the chance to add '$next_query_string' to the a href. Some of the cross-site links are added to discussion forums by the users. In that case, it might be worth looking into Apache's mod_rewrite by Ralph Engelschall. However, being able to wrap this up cleanly in the way you are wanting is going to require some fairly sophisticated coding on your part. Someone else can maybe give more direction in this area, as you might have access to some API functions in Apache to where you could write your own PHP extension and at least stay within the realm of PHP. This is, however, beyond my area of expertise, so I won't try to offer suggestions here. I do think this is the right tool to research to at least get you started. May I asked what 'CDSM specification' is... I am not familiar with the term. CDSM is just an acronym cross-domain session management. Sorry for being ambiguous. I hate when people do that. :-) Happy hacking. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php