• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 552
  • Last Modified:

Keep session variables when redirecting to external site

Hi there

I am developing a login system which is located on my server.  After loging in, the user gets redirected to an external site.  In order to avoid url pasting etc, I want to make sure (in the external site) that the user is really authenticated.  At first, I tried to do this with session variables.  However, I noticed that my session variables die when the redirect takes place, thing which seems logical.  Is there a way to persist the session to the external site through cookies or is there any way that is even better/secure?  Note that I use header() to redirect the user (if that makes any difference anyway).

Thank you very much...
0
acicovic
Asked:
acicovic
  • 3
  • 3
  • 3
  • +2
3 Solutions
 
stefanaichholzerCommented:
acicovic,

You could use a cookie if that makes any sence to you. Check http://php.net and look for setcookie();

Let me know how it goes...

;)
0
 
stefanaichholzerCommented:
Diablo84,

You are the man. Thank you very much. Posting on EE is getting better day after day, specially with folks like you around!

;)
0
 
ldbkuttyCommented:
>> I tried to do this with session variables.  However, I noticed that my session variables die when the redirect takes place, thing which seems logical.

You can use session_write_close() which writes the session data and ends the session. Here's an example:

<?php

// Start the session.
session_start();

// Your session variable.
$_SESSION['mySess'] = 'some value';

// write the session data and end the session.
session_write_close();

// Now redirect the page.
header("Location: next_page.php");

// Exit after redirect.
exit();

?>

Now $_SESSION['mySess'] is accessible in the next_page.php
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
Diablo84Commented:
acicovic,

You cannot share your session data between two sites, the browser wont allow the cookie (which by default passes the sessionid) to be read by any domain other then the one that set it... further more session data is stored on the server rather then the clients local machine.

IN THEORY if you was passing the PHPSESSID via the url rather then cookies you would be able to share the session data between two domains IF they were hosted on the same server (as the session storage space would be the same for both domains). Two different sites on two different servers is not going to happen though.

Off the top of my head i think the only way you can share data between two different sites (besides using the Query string, GET, or a form, POST) is to use a database which both sites have permission to read from.

Stefan,

No problem, and thank you. hopefully things will continue to improve with everyone functioning as a team :)
0
 
ldbkuttyCommented:
Think I should re-read the Experts discussion. :-( Didn't noticed the "external site"!

Database is a good option. Good spot Diablo.
0
 
ldbkuttyCommented:
Another possible approach is to encode the value using base64_encode and pass it via. URL and decode the value at the external site using base64_decode.

http://www.php.net/base64_encode

However base64 encoding techniques are not much secured! You can use this suggestion when database is not suitable for your requirement.
0
 
acicovicAuthor Commented:
Hm...

Supposing that sessions/cookies cannot be passed to an external site (which seems correct after reading carefully about sessions and setcookie), I am a bit perplexed.

I had thought of a "DB solution" like Diablo84 mentioned, but I had ruled it out.  The reason is that my host has only one DB user who has all the privileges.  That means that any external site administrator connecting to my DB can automatically delete everything as he has the connection info which grants him all rights.  In this scenario, I can see two possible solutions:

      pick another host who supports many db users with different rights (is there?)
      hide the connection info (obfuscate code or include remote file - any ideas/suggestions/remarks?) from the remote site admin

Another aspect is that I do not have a clear understanding of how such a system would work, but I could figure it out by putting some thought in it.  Base64encoding is a very interesting proposition as well, although I need to think of all this a little bit more.  Any additional comment will be greatly appreciated.  Thanks for all the comments so far...
0
 
lexlythiusCommented:
The "go to another site and let it get into my DB and toy around with it" approach seems anything but secure I'd say. Moreover, I don't understand how you would coordinate this access. Do you have control over this external site? Is there only one known external site or you have more than one with different, unknown structures and procedures?

Have you thought of framesets/iframes? Provided that the main frame or frameset maintains you PHP Session ID independently of whether given iframes are external or not (which by the way seems to be a problem for Mozilla Firefox, as different sites having equal session variable names collide with each other at least if they belong to the same domain). Thus you could do what you have to do with the external site in your iframe/frame, then continue the job on your main site context using a DHTML event call.

Or did I get this all wrong?
0
 
lexlythiusCommented:
Another approach would be using PHP's object serialization:

http://www.php.net/manual/en/language.oop.serialization.php
0
 
acicovicAuthor Commented:
I think that security depends on how someone will implement the scenario.  If permissions are set correctly, security should be ok.  Right now, I do not know exactly how this access could be coordinated, but setting a flag in the DB from my site and checking for that flag in the external site sounds like something implementable and not risky.

If what you say about session variables is correct, you frame/iframe suggestion is quite implementable, at least at first thought, and I will definitelly try it.  I will also look at your serialization proposition (I do not know anything about it)

Thank you very much for posting...
0
 
lexlythiusCommented:
In case my previous iframe suggestion doesn't work, or isn't browser-portable, I think you should implement iframes in your external site (if you can modify its source code, of course). You may set a hidden iframe ( <iframe name="myIframe" style="display:none"></iframe> ) which calls a PHP script within your site containing something like the following:

<?php

require_once "your_db_class_here.php";

//define a user session's max lifetime, in seconds
define ("USER_SESSION_LIFETIME", 86400);

function logUserIn( $userId )
{
      $expiration = time()+USER_SESSION_LIFETIME;
      $sql = "REPLACE INTO logged_users (user_id, session_expiration)"
                        ." VALUES '$userId', '$expiration'";
      $db->query($sql);
}


function logUserOut( $userId )
{
      $sql = "DELETE FROM logged_users WHERE user_id='$userId'";
      $db->query($sql);
}


function userIsLogged( $userId )
{
      $sql = "SELECT COUNT(*) as is_logged FROM logged_users"
                        ." WHERE user_id='$userId' AND session_expiration>NOW()";
      $db->query($sql);
      return ($db->Record[0]['is_logged']>0) ? true : false;
}

//you can use this with a Cron command, or every time there is a login/logout
function clearExpiredSessions()
{
      $sql = "DELETE FROM logged_users WHERE session_expiration<NOW()";
      $db->query($sql);
}


function printUserLoggedToBrowser( $userId )
{
      $loggedValue = (userIsLogged($userId)==true) ? "true" : "false";
      print "<html><body onLoad=\"window.parent.yourLogStatusNotifyMethodHere('$loggedValue');\"></body></html>";
}

?>

What this script would do is simply check your user status INSIDE your main site and then send back to your external site a short trail of HTML that would call a function within the outer frame of the external site. Then you would have something like the following in your external site's main frame:

<script language="javascript">
function yourLogStatusNotifyMethodHere( isLogged )
{
  if (isLogged==true) {
    //...your code for logged users here
  } else {
    //...your code for NOT logged users here
  }
}
</script>
0
 
acicovicAuthor Commented:
Since I used a combination of the solutions, I decided to split the points.  Thanks for helping me.
0
 
stefanaichholzerCommented:
Too bad I did not get a share... ;)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 3
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now