Sharing a session across multiple domains on the same server

Question

Sharing a session across multiple domains on the same server

I heard that the best way to exchange sessions between multiple domains on the same server is to use your own php session handler. (i.e. the domain name is different from abc.com, xyz.com, but one application.)

But after I tried it, even a custom php session handler using SAME DATABASE ON 1 SERVER cannot use the session when I tried to read the cookie value from another domain.

Here is my user session handler, please check or correct if something is missing here. because I tried this for a week. can't make it work

PS To get the previous session identifier, I use the link, for example: newdomain.com/?ssid=[SESSION_ID]

SESSION_INCLUDE.PHP

<?php // config $m_host = "localhost"; //MySQL Host $m_user = "db_user"; //MySQL User $m_pass = "db_pass"; //MySQL Pass $m_db = "db_name"; //MySQL Database $table = "sess_data"; $session_expire = 600; // Session expire time, in seconds (minutes * 60 = seconds) $gc_probability = 100; // Probability that the garbage collection function will be called. 50% chance by default ini_set("session.gc_probability",$gc_probability); /* Open function; Opens/starts session Opens a connection to the database and stays open until specifically closed This function is called first and with each page load */ function open ($s,$n) // do not modify function parameters { global $session_connection, $m_host, $m_user, $m_pass, $m_db; $session_connection = mysql_pconnect($m_host,$m_user,$m_pass); mysql_select_db($m_db,$session_connection); return true; } /* Read function; downloads data from repository to current session Queries the mysql database, unencrypts data, and returns it. This function is called after 'open' with each page load. */ function read ($id) // do not modify function parameters { global $session_connection,$session_read,$table; $query = "SELECT data FROM `$table` WHERE id=\"{$id}\""; $res = mysql_query($query,$session_connection); if(mysql_num_rows($res) != 1) return ""; // must return string, not 'false' else { $session_read = mysql_fetch_assoc($res); $session_read["data"] = base64_decode($session_read["data"]); return $session_read["data"]; } } function write ($id,$data) // do not modify function parameters { if(!$data) { return false; } global $session_connection, $session_read, $session_expire, $table; $expire = time() + $session_expire; $data = mysql_real_escape_string(base64_encode($data)); if($session_read) $query = "UPDATE `$table` SET data=\"{$data}\", expire=\"{$expire}\" WHERE id=\"{$id}\""; else $query = "INSERT INTO sess_data SET id=\"{$id}\", data=\"{$data}\", expire=\"{$expire}\""; mysql_query($query,$session_connection); return true; } function close () { global $session_connection; mysql_close($session_connection); return true; } function destroy ($id) // do not modify function parameters { global $session_connection,$table; $query = "DELETE FROM `$table` WHERE id=\"{$id}\""; mysql_query($query,$session_connection); return true; } function gc ($expire) { global $session_connection,$table; $query = "DELETE FROM `$table` WHERE expire < ".time(); mysql_query($query,$session_connection); } // Set custom handlers session_set_save_handler ("open", "close", "read", "write", "destroy", "gc"); // Start session session_start(); ?>

MySQL database description

 create table sess_data ( id2 int not null auto_increment, id text not null, data text, expire int not null, primary key(id2) );

+6

php

PHP Newbie Jan 21 '11 at 13:27

source share

5 answers

Eric Petroelje · Answer 1 · 2011-01-21T13:47:50+0000

You cannot read cookies from one domain in another domain. This security feature is implemented in the browser. Using a database for sessions allows multiple servers to share sessions in the same domain, but does not allow multiple domains on the same server to exchange sessions.

If you want to exchange sessions between domains, you will need to implement some method of transferring a session when switching domains. The easiest way to do this is to pass the session identifier as a GET parameter from a page on one domain to a page on another. Then, in another domain, you will get a session id and create a new session using this id.

Although this is an easy way to do this, it is not very secure and allows you to capture a session. The best way would be to use a database to create a record with a session identifier in it, set a short timeout and transfer the identifier of this record to another domain. Another domain then picks up the record from the database and creates a session with it. If the record in the database has passed after its expiration, it will not pick up the session. This will provide better protection against session hijacking.

hamidso · Answer 2 · 2014-06-28T05:39:27+0000

This is the purpose of session_name() . Assign a different name for each application session to avoid collisions between the $_SESSION keys. The name will be used as the session cookie name, therefore, although both session cookies will be passed to both applications, only the one corresponding to the session_name() application will be used to fill $_SESSION .

 // App 1 session_name('app1'); session_start(); // App 2 session_name('app2'); session_start();

wimvds · Answer 3 · 2011-01-21T15:55:07+0000

You really have to look in SSO (single sign-on). One option for SSO is to use OpenID (as used on SO), and using it will make your life easier.

Here is an article on it: http://devzone.zend.com/article/3581

anttir · Answer 4 · 2011-01-21T16:08:00+0000

cookies and their visibility is a problem. The browser accessing the new site will not send the session identifier of the old site to the server.

I think your read () does not use the ssid parameter, which you specify as the session identifier, but since the browser does not have a session with this domain, the system generates one with a new id like $ id. See if $ _REQUEST ['ssid] exists in the database.

A custom session handler might be a little big for this job. You can simply check if $ _REQUEST ['ssid] exists in the session database and rewrite $ _SESSION with it.

Matt h · Answer 5 · 2014-01-23T23:34:47+0000

I was wondering if anyone could give some suggestions on my method for exchanging sessions between domains on the same server (same cookie storage folder).

In each HEAD tag on all my sites, I call the following PHP code

 if(!isset($_SESSION['sso'])) { require_once('database.php'); $sites = array('http://site1', 'http://site2'); session_regenerate_id(); //Make new session id that will be shared $session_id = session_id(); foreach($sites as $site) { if($site != CURRENT_SITE) { $sesh_key = md5(SALT.$site.$session_id); $database->insertSessionId($sesh_key, $session_id); $url = sprintf('%s/sso_set.php?k=%s', $site, $sesh_key); echo('<link type="text/css" rel="stylesheet" href="'.$url.'" />'); } } $_SESSION['sso'] = 'SET'; }

Then on each site I have a file called 'sso_set.php' that contains

 <?php session_start(); if(!isset($_SESSION['sso'])) { require_once('database.php'); $key = $_GET['k']; $session_id = $database->getSessionId($key); if($session_id) { session_destroy(); session_id($session_id); session_start(); $database->deleteSessionId($key); $_SESSION['sso'] = 'SET'; } }

Does text / css link use a good idea? I figured this is always called, even if Javascript or images are disabled?

This code basically makes the first site of all my sites that the user opens, sets the session identifier, and then passes it to other sites.

Everything seems to be working fine. You get a slight delay for the first time when any of the open sites and the identifier is transferred to the sites. But you can do it through AJAX so that the page loads quickly. But then you rely on Javascript inclusion.

Thoughts?

Sharing a session across multiple domains on the same server

More articles: