How do I pass session variables from one domain to another in PHP

Question

Hi everyone, I have encountered a situation where I need to pass $_SESSION variables from one domain to an iFrame page from another domain. I have spent the last 16 days trying various methods to no avail. I think that the only logical way would be to encode the variables in the url that calls the iFrame and decode them in th iFrame page. I am not sure how to go about this and I am looking for any samples, assistance etc that I can find.

Thanks for any and all suggestions.

Here is an example of what I am trying to do...

Example:

<!-- Note only using hidden as I didn't want to build the form at test phase-->
<form name="test" method="post" action="iframe_test.php">
<input type="submit" name="Submit" />
<input type="hidden" name="fName" value="abc" />
<input type="hidden" name="lName" value="def" />
<input type="hidden" name="address1" value="ghi" />
<input type="hidden" name="address2" value="jkl" />
<input type="hidden" name="country" value="mno" />
<input type="hidden" name="postal_code" value="pqr" />
<input type="hidden" name="city" value="stu" />
<input type="hidden" name="retUrl" value="vwx">
<input type="hidden" name="decUrl" value="yz">

So from here I am hitting the iframe_test.php and doing the following: PHP Code: function StripSpecChar($val) { return (preg_replace('/[^a-zA-Z0-9" "-.@\:\/_]/','', $val)); }

foreach ($_POST as $key => $val) { 
$_SESSION[$key] = StripSpecChar($val);   
} 

and I get a session array that looks like this: Code:

Array
(
    [fName] => abc
    [lName] => def
    [address1] => ghi
    [address2] => jkl
    [country] => mno
    [postal_code] => pqr
    [city] => stu
    [retUrl] => vwx
    [decUrl] => yz
)

Still all good so far....call the iFrame

Code:

<body>
Some page stuff here

<div align="center"><span class="style1"><strong>This is the iFrame Page</strong></span>
</div>
<div align="center">
<iframe src="https://www.other_domain.org/iframe/reserve.php" width="500" height="350" frameBorder="0"></iframe>
</div>

</body>

So HOW do I take...

$_SESSION['fName']['abc']; 
$_SESSION['lName']['def']; 
$_SESSION['address1']['ghi']; 
$_SESSION['address2']['jkl']; 
$_SESSION['country']['mno']; 
$_SESSION['postal_code']['pqr']; 
$_SESSION['city']['stu']; 
$_SESSION['retUrl']['vwx']; 
$_SESSION['decUrl']['yz']; 

and turn it into the encoded url that I am looking for? Further once that is done how to I get the session vars back as session vars on that new domain iFrame page...

Answer 1

You can take an assoicative array and convert it to a query string with the function http_build_query

Note: the second array you posted is not the correct output of a session array.

On the receiving page/domain, just take the query string and place/sanitize the expected parameters into your $_SESSION array (or whatever you need to do with it).

This is safer than using something like serialize/unserialize as only arrays are being used.

Answer 2

Serialize the sessiondata array and send it as a parameter and then deserialize it http://www.php.net/manual/en/function.serialize.php

Answer 3

Use serialize() and then base64_encode() to pass the data without corrupting it and (mostly) maintaining its structure.

It's not a good practice, because then anyone who figures out how it works can inject arbitrary data, but if that's what you want to do, it will work.

Answer 4

Why not just send the session id to the otehr domain (and assuming they can read the same session storage substrate) use that as the session id there, e.g.

<?php
// catch remote session id, validate and reassociate
if (md5($_GET['exported_sessid'], $shared_secret) == $_GET['check_hash']) {
      // (basic CSRF check
      session_id($_GET['exported_sessid']);
}
session_start();
....

C.