I need to share SSO information between two different domains with a cookie, can this be done in PHP and how?
+7
A:
On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.
It's a little complex to carry out correctly, but if you think it through it'll work out very well.
Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.
Adam Davis
2008-11-24 19:19:38
You'd have to add some encryption and avoid replaying attacks. You can do that by having A and B share a secret.
Vinko Vrsalovic
2008-11-24 19:24:50
It depends. If the information is of little to no value, then there's no need, but if you are sharing something important then you do need to involve authentication, encryption, etc. These complicate matters a little, but since you control both systems it isn't hard to have a shared secret.
Adam Davis
2008-11-24 19:29:35
It's not hard, but it has to be considered. And don't forget to make those URIs one time only.
Vinko Vrsalovic
2008-11-24 20:12:53
doesn't work in ie6
Shawn Simon
2008-12-30 21:53:46
A:
You don't, cookies are bound to a domain. There are restrictions on this and it's referred to as cross site scripting.
Now, for some help to your problem. What you can do is create a script that helps bridge them.
You can globally rewrite all links to your second site are going to need cookie information from the first site.
You would save all the cookies from site-a to a database that they both can read, then programatically appending the cookie-id querystring on all of the links to site-b, then you lookup that cookie id and re-set the cookies under the new domain.
There is a really good PHP database abstraction library (PHP ADODB) and it has a session sharing plugin that makes all of this a whole lot easier.
chews
2008-11-24 19:26:16
+1
A:
well if your domains are just different subdomains you could do it in an easy way by creating a .yourdomain.com cookie. Then cookie is passed along with all the requests across all the subdomains.
Its not that simple if you want to share cookies between different domains as browsers treat it as security risk.
What is the exact example?
In case of some software like google analytics and other tracking images etc you might be forced to use P3P headers to let browser know you dont care about security when sending your cookies. Then browser requesting image gets cookie as part of response and also inspects P3P if all ok it saves cookie on hard drive and next time you request image that sits on your website (but is part of other domains page) browser will send he cookie along. But i guess this does not help ;-)
I have never used cookie value across domains in a direct meaning of it.
A:
I'm not sure about the security implications, but there is an Apache setting that allows you to change the domain of a cookie.
# in httpd.conf (or equivalent)
php_value session.cookie_domain mydomain.com
I have successfuly employed this method for subdomains, but have never attempted for different domains.
There is also a method to set the variables direction in PHP described at http://us.php.net/manual/en/function.session-set-cookie-params.php. The documentation makes no reference to the ability or inability to set cookies on a different domain.
There is a different Stack Overflow thread on this same topic, but I don't think it was ever sufficiently answered.
KDrewiske
2008-11-24 20:02:20
+1
A:
f you have two sites using the same domain and would like to share cookies between them, set something like this in your settings.php file for each domain:
ini_set('session.cookie_domain', '.EXAMPLE.com');
Be sure you include the leading '.' before the domain name or it won't work.
This allows users to maintain login status between any sites configured for domain-wide cookies.
This can also have negative side effects, so don't do this unless you're familiar with all the cookies involved for the sites you want to share cookies between.