Solved

PHP SESSION cross-domain support

Posted on 2009-05-20
7
2,640 Views
Last Modified: 2013-12-12
Building a php session based authentication system for a custom web app.
The app has a central code base and CMS to display content based on the domain header (ie: domain content has the same document root.

If you go to www.domain.com you get db driven content for that domain.  If you go to subdomain1.domain.com you get content for subdomain1.domain.com.  There could be thousands of subdomains.

Authentication is based on sessions.  Understanding the basis of sessions, it's geared for that specific domain, however I need a session to carry over into subdomains (and possibly otherdomains).

I've added the following code to my .htaccess in the document root and it seems to work, but has been flaky.  If I monitor the session vars, I'll get a different session for different domains on different browsers (sometimes).  It seems to generate new sessions for subdomains and it doesnt solve the secondary unique domain problem.

I'm open to just about any solution... even if it means a different fundamental authentication logic change...

Is this possible?  What do others do?
php_value session.cookie_domain .domain.com

Open in new window

0
Comment
Question by:vmurray
7 Comments
 
LVL 6

Expert Comment

by:mmarth
ID: 24437765
if  you create a session variable, it will only work on the original domain.

to auomatically be logged in to a different domain, you can send the login info to the withe the original request to the new domain. ie. the redirect can contain the login info which can be dynamically inserted. Other session info could be sent the same way or could be retrieved fro a database.
0
 

Author Comment

by:vmurray
ID: 24437784
Turns out this works:
php_value session.cookie_domain .domain.com

I had sessions that were still active created before the change therefore causing inconsistent behavior.

Still doesnt help on multiple domain support.

Always been retrieving from db, but you have to have the above in php.ini or .htaccess.

I was trying to get specific information for how others have done it. (code) or logic examples.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 24462356
Here is a sample script that will do what you need.  Please run it and examine the output.  Post back here if you have any questions.  Best of luck, ~Ray
<?php // RAY_session_cookie_domain.php

// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS

error_reporting(E_ALL);
 
 

// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS

// OUR GOAL IS A DOMAIN NAME THAT STARTS WITH DOT AND OMITS WWW OR OTHER SUBDOMAINS.

// BREAK THE HOST NAME APART AT THE DOTS

$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));

if (!is_array($x)) // MAYBE 'localhost'?

{

   $host = $x;

} else // SOMETHING LIKE 'www2.atf70.whitehouse.gov'?

{

// USE THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN

   $y    = count($x);

   $host = '.' . $x[$y-2] . '.' . $x[$y-1];

}
 

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS

$sess_name = session_name();

if (session_start())

{

	setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);

}
 
 
 

// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS

$_SESSION["cheese"] = "Cheddar";

if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;

$_SESSION["count"] ++;
 
 

// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS

$gost = substr($host,1); // STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE

$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php';

$www_link = 'http://www' . $host . '/RAY_dump_session.php';
 

echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>\n";

echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>\n";
 
 

// SHOW WHAT IS IN COOKIE AND IN $_SESSION

echo "<pre>";

echo "COOKIE ";

var_dump($_COOKIE);

echo "\n\n";

echo "SESSION ";

var_dump($_SESSION);
 

echo "</pre>\n";
 
 
 

?>

<form method="post">

<input type="submit" value="CLICK ME" />

</form>

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:vmurray
ID: 24486501
This works.  Same result as adding the .htaccess for PHP

php_value session.cookie_domain .domain.com

Is there anything for true cross-domain support

domainx.com, domainy.com (rather than just sub1.domainx.com, sub2.domainx.com)
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24486726
No, there is no cross-domain support for cookies without using redirects.  However if you want to get "clever" about it, you can have multiple domains all send their cookie values to a single "central" domain, maybe via POST or CURL.  That central domain sets and clears cookies, and returns the data to the calling domain when it redirects.  I would not recommend this, however.  Some clients would see this as a security breach, so you would need to be explicit about it in your published privacy policies.

HTH, ~Ray
0
 

Author Closing Comment

by:vmurray
ID: 31583553
This helps understand what you can do.  Easiest solution was adding:
php_value session.cookie_domain .domain.com
to .htaccess.  Suppose it could be set in php.ini as well.  Cross domain is an issue.  I think the best solution will be to use subdomains and when authenticating cross domain, you have to log in (same credentials, but different domain)
0
 

Expert Comment

by:nosolb
ID: 26387072
I have used the same code with one change, now its work for me. Now I am able to access the same session value across all my subdomains as well as main domain.

try this:

php_value session.cookie_domain ".domain.com"

Note that, enclose your domain.com with quotes.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
mimic google as my ip 11 53
regular expression for 10 digit number 7 47
Calculating number of days between two dates 7 30
converting numbers with php 3 26
Consider the following scenario: You are working on a website and make something great - something that lets the server work with information submitted by your users. This could be anything, from a simple guestbook to a e-Money solution. But what…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

937 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now