What are some ways to identify a logged in user on the web?

Question

Here is the scenario:

There are 5 websites (different domain names) that need to share a session. I am using a bit of code on each site which returns a "blank.gif" image and at the same time sets the session (syncing it up to the current session). Each of the sites calls a session-img from each of the other sites. Also, all sites have access to the same database (where the session is stored). This works great on FF and Chrome, but not on IE (or Safari PC)...

I need to come up with an alternative method to keep a session active? The app is a small custom CMS, so really only 2-3 people will be using it.

I can probably identify user logins by IP and then continue to check for the IP accross all sites...

Is there something more granular such as a computer uuid that i can check for?

Answer 1

You could override the session handler to make it save session data in a database shared by your different websites. Then, you'd have to set a session cookie with the same session ID on each server. You'd have to use session_set_save_handler and make something like that :

/**
 * @desc function used to open sessions
 * @param string session path
 * @param string session id
 * @return bool
 */
function xx_session_open($path, $id){
  return true;
}

/**
 * @desc used when closing a session
 * @return bool
 */
function xx_session_close(){
  return true;
}

/**
 * @desc saves session data
 * @param string session id
 * @param string session data
 * @uses xx_crypt
 * @return bool
 * @global object PDO instance
 */

function xx_session_write($id, $data){
  global $db;
  $crypted = xx_crypt($data);
  // Saves data into db
  $sql = 'REPLACE INTO sessions (`ID`, `data`, `lastUsed`, `IV`) VALUES(:id, :data, NOW(), :iv)';
  $sth = $db->prepare($sql);
  $sth->execute(array(':id'=>$id, ':data'=>$crypted[0], ':iv'=>$crypted[1]));
  return true;
}

/**
 * @desc gets session data
 * @param string session ID
 * @return string
 * @global object PDO instance
 * @uses xx_decrypt
 */
function xx_session_read($id){
  global $db;
  $sql = 'SELECT `data`, `IV` FROM sessions WHERE `ID`=:id';
  $sth = $db->prepare($sql);
  $sth->execute(array(':id'=>$id));
  list($crypted, $iv) = $sth->fetch();
  $data = xx_decrypt($crypted, $iv);
  return $data;
}

/**
 * @desc destroys a session
 * @param string session ID
 * @return bool
 * @global object PDO instance
 */
function xx_session_destroy($id){
  global $db;
  $sql = 'DELETE FROM sessions WHERE `ID`=:id';
  $sth = $db->prepare($sql);
  $sth->execute(array(':id'=>$id));
  return true;
}

/**
 * @desc delete old sessions
 * @param int session lifetime (in seconds)
 * @return bool
 * @global object PDO instance
 */
function xx_session_gc($lifetime){
  global $db;
  $sql = 'DELETE FROM sessions WHERE `lastUsed` < :limit';
  $sth = $db->prepare($sql);
  $sth->execute(array(':limit'=>date('Y-m-d H:i:s',time() - $lifetime)));
  return true;
}

// Set session handler
session_set_save_handler("xx_session_open", "xx_session_close", "xx_session_read", "xx_session_write", "xx_session_destroy", "xx_session_gc");

If all you want is a Single Sign On mechanism, you could check the Kerberos protocol which is made for that.

Answer 2

Anything that would make this possible without cooperation from users would be a bug in regard to user privacy and anonymity which would eventually get fixed. Websites aren't supposed to be able to find out what other sites a user has been to and what he has done there.