views:

348

answers:

2

I am trying to create a single sign on process. The method I have implemented makes use of storing session data in a database.

When a new user comes to the website (www.example2.com) a table of authentication is checked. As this is their first visit to the website, there will be no match.

The browser is redicted to the authentication server www.example1.com/authenticate.php?session_id=ABC123 where ABC123 represents the session id created on www.example2.com. THe session id which is then generated on www.example1.com is stored along side the session id using the parameter set in the URL.

The user is then redirected back to the www.example2.com and a match of session ids should be found.

This WAS working fine in FireFox but when I tried it in Chrome I noticed that the session id being generated when the browser is redirected back to www.example2.com is a new session id. As a result an infinite loop is created. This behaviour has not manifested itself in FireFox aswell.

What is causing the new session id to be generated? More importantly, what can I do to stop it?

Thanks in advance!

EDIT
I had a logically error that was causing an infinite loop. This now works fine again in FireFox but the infinite loop is still occuring in Chrome and Internet Explorer.

A: 

Having followed the logic of the code through, I have made some modifications. Everything seems to be working now. Just a little confused to why this didnt affect FireFox though.

Thank you for everyone's interest.

bigstylee
A: 

the whole idea of a session is that it only applies to one domain. otherwise other domains could hijack your session. A browser should not submit a cookie (containing the session id) for a domain for which it was not written for. ie your session id for your www.yourbank.com logon should not be able to be read by a website called www.preatesteallingtheieves.com, and the browser will stop this from happening. (regardless of what session name you use.)

SO: session ID's are not shared between domains, even if you give them the same name.

Bingy
I am not actively changing the session names. I am just storing the the session id set by the "auth server" and the "broker" and creating a map of the 2 within a database. so the auth server relates to global session data (ie user id) and the broker holds site specific session data (eg image captcha variable).
bigstylee