?
Solved

SSO for oscommerce 2.3.1 and Jcow 5

Posted on 2011-10-26
5
Medium Priority
?
1,391 Views
Last Modified: 2013-11-18
I have an oscommerce 2.3.1 site.  I also have a Jcow 5 site on the same domain in a subfolder.

I need to find a single sign on solution that will register new accounts in both, sign them in, and also sign them out of both sites.

I've created a single database and put everything in that one database.

I also made a new customers table with all fields from both of the previous customers tables, so they're basically merged into one table.  I'm not sure if it's better to use one table, or have an SSO that works in two tables.

Any guidance on this would be wonderful, as I've been agonizing over this for months, and no one has stepped up to the plate to do it for me.  My site runs on php5.

Thanks...
0
Comment
Question by:The_Munch
2 Comments
 

Author Comment

by:The_Munch
ID: 37049613
... am I guess that this is the typical response for this site... nothing?...
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 37082158
Hi, The_Munch.  I got the EE neglected question alert on this one.  I do not have a drop-in solution for you, but hopefully I can shed some light on the subject.

A "single sign-in" is kind of the Holy Grail for a lot of web developers.  You've got your Facebook, Twitter, Google and Amazon accounts and they all have different passwords, and it's all confusing...  It's a frustrating situation and a lot of great minds have been at work on it, with amazingly little cooperation or success. So don't feel like you are alone.  Part of the issue arises from the way cookies are stored on the client and retrieved by the server.  Cookies are only returned to the domain that set them (and maybe only to the subdomain or subdirectory) and the tendency is to err on the side of finer granularity, for security reasons.  Since cookies are the typical tool used to identify authorized clients, this domain-only restriction hampers the single sign-in efforts.

Web service providers want to keep it this way.  Google would love to have all the information in the Facebook cookies, and vice versa, but neither entity would want to reveal the information to the other.  So it is not likely that one of the leaders of the web would rise up and take on this problem.  And the users of the web do not want it either.  What if you lost your Google password, only to find that it could be used to sign into your bank account and withdraw money?  The law is not on your side if a well-formed electronic funds transfer is presented to a bank and the bank honors it.  Unlike credit cards, bank EFT protection is virtually nil.  The bank does not have to verify that you are who you say you are; they do not have to refund your money if the request turns out to be fraudulent.

Enter the open-source community.  Everyone wants to find an answer for this conundrum.  While it is complicated and may be confusing at first, it is worth learning about this technology, since it is as close as anything to the Holy Grail of a single sign-on that can remain secure.  And it is gaining traction.
http://openid.net/

If you're interested in how PHP client authentication works, you can find a primer here:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

If you want to learn how to set a PHP session cookie that works across subdomains and subdirectories, please see the code snippet.  You can install it on your server and run it to see the moving parts.  By default, PHP sessions do not work across subdomains, so a little extra effort is required if that is what you want.

Sorry there is no magic bullet here.  You will have to do a considerable amount of work to understand and implement the technology, but a solution exists and with some study and effort you can use OpenId to solve the problem.

Best of luck with the project, ~Ray
<?php // RAY_session_cookie_domain.php
/* *
 * QUESTION: WHEN CLIENTS VISIT MY SITE SOMETIMES THEY USE www.mysite.org
 * BUT SOMETIMES THEY USE mysite.org WITHOUT THE WWW.  HOW CAN I HANDLE
 * THE SESSION ISSUES THAT ARISE FROM THIS?
 *
 * ANSWER: ONE WAY IS TO REWRITE THE URL TO REMOVE THE SUBDOMAIN IF IT
 * IS WWW.  FOR EXAMPLE:
 *
 *     Options +FollowSymlinks
 *     RewriteEngine on
 *     RewriteCond %{http_host} ^www\.example\.org [NC]
 *     RewriteRule ^(.*)$ http://example.org/$1 [R=301,NC]
 *
 * ANOTHER WAY IS TO MODIFY THE SESSION COOKIE SO IT WORKS ACROSS ALL OF
 * YOUR SUBDOMAINS.  YOUR CHOICE WILL LARGELY DEPEND ON THE WAY YOU WANT
 * TO HANDLE OTHER SUBDOMAINS (OTHER THAN WWW).
 */

// DEMONSTRATE HOW TO START SESSIONS THAT WORK IN DIFFERENT SUBDOMAINS PHP 5.2+
error_reporting(E_ALL);


// MAKE THE SESSION COOKIE AVAILABLE TO ALL SUBDOMAINS
// MAKE A DOMAIN NAME THAT OMITS WWW OR OTHER SUBDOMAINS
// BREAK THE HOST NAME APART AT THE DOTS
$x = explode('.', strtolower($_SERVER["HTTP_HOST"]));
$y = count($x);
// POSSIBLY 'localhost'
if ($y == 1)
{
    $host = $x[0];
}
// MAYBE SOMETHING LIKE 'www2.atf70.whitehouse.gov'
else
{
    // USE A DOT PLUS THE LAST TWO POSITIONS TO MAKE THE HOST DOMAIN NAME
    $host = '.' . $x[$y-2] . '.' . $x[$y-1];
}

// START THE SESSION AND SET THE COOKIE FOR ALL SUBDOMAINS
$sess_name = session_name();
if (session_start())
{
    // MAN PAGE http://us.php.net/manual/en/function.setcookie.php
    setcookie($sess_name, session_id(), NULL, '/', $host, FALSE, TRUE);
}


// PROVE THAT THE COOKIE WORKS IN MULTIPLE DOMAINS
// LOAD UP SOME INFORMATION TO SHOW SESSION CONTENTS
$_SESSION["cheese"] = "Cheddar";
if (!isset($_SESSION["count"])) $_SESSION["count"] = 0;
$_SESSION["count"] ++;


// PUT UP TWO LINKS WITH DIFFERENT SUBDOMAINS
// STRIP OFF THE DOT THAT WAS NEEDED FOR SETCOOKIE
$gost = ltrim($host,'.');
$dmn_link = 'http://'    . $gost . '/RAY_dump_session.php'; // var_dump() SCRIPT
$www_link = 'http://www' . $host . '/RAY_dump_session.php';

echo "<br/>Click these links to get a new window and see the _SESSION and _COOKIE arrays" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$www_link\">$www_link</a>" . PHP_EOL;
echo "<br/><a target=\"_blank\" href=\"$dmn_link\">$dmn_link</a>" . PHP_EOL;


// SHOW WHAT IS IN COOKIE AND IN $_SESSION
echo "<pre>";
echo "COOKIE ";
var_dump($_COOKIE);
echo PHP_EOL . PHP_EOL;
echo "SESSION ";
var_dump($_SESSION);
echo "</pre>";


?>
<form method="post">
<input type="submit" value="CLICK ME" />
</form>

Open in new window

0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
Ranking ecommerce websites is a vital process. You need to have a strong SEO (Search Engine Optimization) strategy. If you don’t have one, you are losing out on brand impressions, clicks and sales. Check this guide on how to improve website traffic …
The viewer will learn the benefit of using external CSS files and the relationship between class and ID selectors. Create your external css file by saving it as style.css then set up your style tags: (CODE) Reference the nav tag and set your prop…
HTML5 has deprecated a few of the older ways of showing media as well as offering up a new way to create games and animations. Audio, video, and canvas are just a few of the adjustments made between XHTML and HTML5. As we learned in our last micr…
Suggested Courses
Course of the Month15 days, 17 hours left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question