Cross domain PHP Sessions

Question

I am building a site which allows a user to point a CNAME record at my site to run their "profiles", this allows your OWN domain name to load your profile on my site.

This is raising all sorts of issues related to sessions. I have seen virb do it. I don't see any of the information that is session based in an iFrame... but there IS an iFrame present on the page.

I can get the domain stuff to work, I just lose session data... Any ideas?

(Here is an example --Links to Virb-- http://www.agentspider.com/ )

Answer 1

The only way is to add session id-s to the url-s that go from one domain to another (or add that session id to the iframe src url), and then code your session storage backend to handle this.

Of course, you need to consider all the security issues that this approach brings along.

Answer 2

Hi there, not sure I understand your problem. Is it somethink like another domain calling something like www.userprofiles.com/profile.php?userid=1 and displaying the results? In this case profile.php will generate a new session id whenever it gets called. You need to set different ids for every external domain using your site and change profile.php to something like:

if( isset($_REQUEST['sid']) ) session_id($_REQUEST['sid']);

session_start();

and call the script like this www.userprofiles.com/profile.php?userid=1&sid=somesessionid1234

Answer 3

You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd I haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.

Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.

So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.

In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.

If the HTTP Host is not the main domain (example.com):

if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}

On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.

header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));

The final bit is to redirect back to the page you were on now that you have the same session going.

setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/');

Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.

Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.

Edit: don't forget to set the cookie when you get back to external domain.

Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.