You could override the session handler to make it save session data in a database shared by your different websites.
Then, you'd have to set a session cookie with the same session ID on each server.
You'd have to use session_set_save_handler and make something like that :
/**
* @desc function used to open sessions
* @param string session path
* @param string session id
* @return bool
*/
function xx_session_open($path, $id){
return true;
}
/**
* @desc used when closing a session
* @return bool
*/
function xx_session_close(){
return true;
}
/**
* @desc saves session data
* @param string session id
* @param string session data
* @uses xx_crypt
* @return bool
* @global object PDO instance
*/
function xx_session_write($id, $data){
global $db;
$crypted = xx_crypt($data);
// Saves data into db
$sql = 'REPLACE INTO sessions (`ID`, `data`, `lastUsed`, `IV`) VALUES(:id, :data, NOW(), :iv)';
$sth = $db->prepare($sql);
$sth->execute(array(':id'=>$id, ':data'=>$crypted[0], ':iv'=>$crypted[1]));
return true;
}
/**
* @desc gets session data
* @param string session ID
* @return string
* @global object PDO instance
* @uses xx_decrypt
*/
function xx_session_read($id){
global $db;
$sql = 'SELECT `data`, `IV` FROM sessions WHERE `ID`=:id';
$sth = $db->prepare($sql);
$sth->execute(array(':id'=>$id));
list($crypted, $iv) = $sth->fetch();
$data = xx_decrypt($crypted, $iv);
return $data;
}
/**
* @desc destroys a session
* @param string session ID
* @return bool
* @global object PDO instance
*/
function xx_session_destroy($id){
global $db;
$sql = 'DELETE FROM sessions WHERE `ID`=:id';
$sth = $db->prepare($sql);
$sth->execute(array(':id'=>$id));
return true;
}
/**
* @desc delete old sessions
* @param int session lifetime (in seconds)
* @return bool
* @global object PDO instance
*/
function xx_session_gc($lifetime){
global $db;
$sql = 'DELETE FROM sessions WHERE `lastUsed` < :limit';
$sth = $db->prepare($sql);
$sth->execute(array(':limit'=>date('Y-m-d H:i:s',time() - $lifetime)));
return true;
}
// Set session handler
session_set_save_handler("xx_session_open", "xx_session_close", "xx_session_read", "xx_session_write", "xx_session_destroy", "xx_session_gc");
If all you want is a Single Sign On mechanism, you could check the Kerberos protocol which is made for that.