tags:

views:

348

answers:

2
+1  Q: 

PHP Single Sign On (SSO) generating new session id

I am trying to create a single sign on process. The method I have implemented makes use of storing session data in a database.

When a new user comes to the website (www.example2.com) a table of authentication is checked. As this is their first visit to the website, there will be no match.

The browser is redicted to the authentication server www.example1.com/authenticate.php?session_id=ABC123 where ABC123 represents the session id created on www.example2.com. THe session id which is then generated on www.example1.com is stored along side the session id using the parameter set in the URL.

The user is then redirected back to the www.example2.com and a match of session ids should be found.

This WAS working fine in FireFox but when I tried it in Chrome I noticed that the session id being generated when the browser is redirected back to www.example2.com is a new session id. As a result an infinite loop is created. This behaviour has not manifested itself in FireFox aswell.

What is causing the new session id to be generated? More importantly, what can I do to stop it?

Thanks in advance!

EDIT
I had a logically error that was causing an infinite loop. This now works fine again in FireFox but the infinite loop is still occuring in Chrome and Internet Explorer.

A: 

Having followed the logic of the code through, I have made some modifications. Everything seems to be working now. Just a little confused to why this didnt affect FireFox though.

Thank you for everyone's interest.

bigstylee  2010-05-07 00:29:04
A: 

the whole idea of a session is that it only applies to one domain. otherwise other domains could hijack your session. A browser should not submit a cookie (containing the session id) for a domain for which it was not written for. ie your session id for your www.yourbank.com logon should not be able to be read by a website called www.preatesteallingtheieves.com, and the browser will stop this from happening. (regardless of what session name you use.)

SO: session ID's are not shared between domains, even if you give them the same name.

Bingy  2010-05-07 05:03:58
I am not actively changing the session names. I am just storing the the session id set by the "auth server" and the "broker" and creating a map of the 2 within a database. so the auth server relates to global session data (ie user id) and the broker holds site specific session data (eg image captcha variable).
bigstylee  2010-05-07 07:30:28

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases