views:

157

answers:

2

Hi,

I have seen a few answers to this on SOF but most of these are concerned with the use of subdomains, of which none have worked for me. The common one being that the use of session.cookie_domain, which from my understanding will only work with subdomains.

I am interested in a solution that deals with deals with entirely different domains (and includes the possibility of subdomains). Unfortunately project deadlines being what they are, time is not on my side, so I turn to SOF's expertise and experience.

The current project brief is to be able to log into one site which currently only stores the user_id in the session and then be able to retrieve this value while on a different domain within the same server enviroment. Session data is being stored/retrieved from a database where the session id is the primary key.

I am hoping to find a "light wieght" and "easy" to implement solution.

The system is utlising an in-house Model View Controller design pattern, so all requests (including different domains) are run through a single bootstrap script. Using the domain name as a variable, this determines what context to display to the user.

One option that did look like to have potential is the use of a hidden image and using the alt tag to set the user id. My first impressions suggest this immediately seems "too easy" (if possible) and riddled with security flaws. Disscuss?

Another option which I considered is using the IP and User Agent for authentication but again I feel this not going to be a reliable option due to shared networks and changing IP addresses.

My third option (and preferred) which I considered and as yet not seen discussed is using htaccess to fool the user into thinking that they are on a different domain when infact apache is redirecting; something like

www.foo.com/index.php?domain=bar.com&controller=news/categoires/1
but displays to the user as
www.bar.com/news/categories/1

foo.com represents the "main site domain" which all requests are run through and bar.com is what the user thinks they are accessing. The controller request dictates the page and view being requested. Is this possible?

Are there other options? Pros/Cons?

Thanks in advanced!!!

A: 

Have you thought about using session_set_save_handler. You can store your sessions in a database and access them from any domain.

Galen
I am using this. The problem is that the session_id generated by PHP is different for each domain.
bigstylee
can you not identify the user by the session id? use a different column in the table. youll have multiple rows for each user but you can set one row to the same value. ive never done this before, just throwing stuff out there.
Galen
foo.com gives a session id of ABC123 and bar.com gives a session id of QWERTY. Unless I compare IP/UserAgent there is no way (that I know of) to know that ABC123 and QWERTY are pointing to the same user. The database query that retrieves the session data is SELECT * FROM sessions WHERE session_id="%string". Or am I missing youtr point?
bigstylee
A: 

For the benefit for anyone else interested in this functionality, there is no simple answer I am afraid. Google "Single Sign On" and it will come back with a the technology and some solutions avialable.

As for using htaccess to hide the domain name, this is not possible as it could be used for malicious activities.

I have now successfully implemented a system to achive my requirements.

bigstylee