tags:

views:

157

answers:

2
+3  Q: 

PHP Shared Sessions across Domain

Hi,

I have seen a few answers to this on SOF but most of these are concerned with the use of subdomains, of which none have worked for me. The common one being that the use of session.cookie_domain, which from my understanding will only work with subdomains.

I am interested in a solution that deals with deals with entirely different domains (and includes the possibility of subdomains). Unfortunately project deadlines being what they are, time is not on my side, so I turn to SOF's expertise and experience.

The current project brief is to be able to log into one site which currently only stores the user_id in the session and then be able to retrieve this value while on a different domain within the same server enviroment. Session data is being stored/retrieved from a database where the session id is the primary key.

I am hoping to find a "light wieght" and "easy" to implement solution.

The system is utlising an in-house Model View Controller design pattern, so all requests (including different domains) are run through a single bootstrap script. Using the domain name as a variable, this determines what context to display to the user.

One option that did look like to have potential is the use of a hidden image and using the alt tag to set the user id. My first impressions suggest this immediately seems "too easy" (if possible) and riddled with security flaws. Disscuss?

Another option which I considered is using the IP and User Agent for authentication but again I feel this not going to be a reliable option due to shared networks and changing IP addresses.

My third option (and preferred) which I considered and as yet not seen discussed is using htaccess to fool the user into thinking that they are on a different domain when infact apache is redirecting; something like

www.foo.com/index.php?domain=bar.com&controller=news/categoires/1
but displays to the user as
www.bar.com/news/categories/1

foo.com represents the "main site domain" which all requests are run through and bar.com is what the user thinks they are accessing. The controller request dictates the page and view being requested. Is this possible?

Are there other options? Pros/Cons?

Thanks in advanced!!!

A: 

Have you thought about using session_set_save_handler. You can store your sessions in a database and access them from any domain.

Galen  2010-04-23 21:03:51
I am using this. The problem is that the session_id generated by PHP is different for each domain.
bigstylee  2010-04-23 21:22:50
can you not identify the user by the session id? use a different column in the table. youll have multiple rows for each user but you can set one row to the same value. ive never done this before, just throwing stuff out there.
Galen  2010-04-23 23:39:43
foo.com gives a session id of ABC123 and bar.com gives a session id of QWERTY. Unless I compare IP/UserAgent there is no way (that I know of) to know that ABC123 and QWERTY are pointing to the same user. The database query that retrieves the session data is SELECT * FROM sessions WHERE session_id="%string". Or am I missing youtr point?
bigstylee  2010-04-24 12:45:31
A: 

For the benefit for anyone else interested in this functionality, there is no simple answer I am afraid. Google "Single Sign On" and it will come back with a the technology and some solutions avialable.

As for using htaccess to hide the domain name, this is not possible as it could be used for malicious activities.

I have now successfully implemented a system to achive my requirements.

bigstylee  2010-04-25 20:20:11

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases