PHP Multi site login

Question

I am currently working on a project that spans accross multiple domains. What I want is for the user to be able to login on one site and be logged in on all the others at the same time.

The users session is stored in the database, the cookies that I set on each domain contain the session id.

So basically when a user logs in to example.com a cookie is created with their session id, the session data is stored in the database. Once this is done a cookie needs to be created on all the other domains with this unique session id so that as the user travels from site to site they will automatically be logged in.

Now I have found a way to do this in Firefox (using image tags that executes PHP scripts on the other domains, essentially creating the different cookies on the different domains) but this method doesn't work in IE (havn't tested Opera or Safari etc. yet).

Does anyone have any ideas about how I can get this to work in IE?

Answer 1

Not sure if it a good suggestion at this point in your development, but you should definitely look at Single Sign-on if you want to do it the "right" way.

Answer 2

I haven't done this myself, but I think you're going the right way. I would probably do the same, except instead of an image I would use a Javascript file. It would be generated on the serverer side and would update the cookies on the client side.

Answer 3

Is it just me, or does it sound like your CSRFing yourself with your technique using images that works in Firefox?

Interesting approach, although I hope you're not opening yourself up to a security threat there.

Answer 4

Possibly me being a bit silly, but could you not set the cookies for each domain name on login? So rather than them having one cookie when they login to Site A, they have five, or however many sites you have?

setcookie(A, $sessid, expire, path, domainA.com);
setcookie(B, $sessid, expire, path, domainB.com);
setcookie(C, $sessid, expire, path, domainC.com);
setcookie(D, $sessid, expire, path, domainD.com);

Answer 5

Have a look at my question Cross Domain User Tracking.

What you need to do is to add another HTTP header to the "image".

Quote from Session variables are lost if you use FRAMESET in Internet Explorer 6:

You can add a P3P compact policy header to your child content, and you can declare that no malicious actions are performed with the data of the user. If Internet Explorer detects a satisfactory policy, then Internet Explorer permits the cookie to be set.

A simple compact policy that fulfills this criteria follows:

P3P: CP="CAO PSA OUR"

This code sample shows that your site provides you access to your own contact information (CAO), that any analyzed data is only "pseudo-analyzed", which means that the data is connected to your online persona and not to your physical identity (PSA), and that your data is not supplied to any outside agencies for those agencies to use (OUR).

You can set this header if you use the Response.AddHeader method in an ASP page. In ASP.NET, you can use the Response.AppendHeader method. You can use the IIS Management Snap-In (inetmgr) to add to a static file.

Follow these steps to add this header to a static file:

1. Click Start, click Run, and then type inetmgr.
2. In the left navigation page, click the appropriate file or directory in your Web site to which you want to add the header, right-click the file, and then click Properties.
3. Click the HTTP Headers tab.
4. In the Custom HTTP Headers group box, click Add.
5. Type P3P for the header name, and then for the compact policy string, type CP=..., where "..." is the appropriate code for your compact policy.