Login in to one site, automatically logs in me to another

Jazzy 1012
Jazzy 1012 used Ask the Experts™
on
I have this a main site that logins users to their profiles, How can I make it that if a user is logged in into the main site, then they are automatically logged in to the secondary site (whole other site & server). Do I have to use file get contents?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
How you do this relates specifically to how your session management is handled.

If this is your first time doing this, likely good for you to research various ways WordPress does this + extract whatever code seems like it can be modified for your specific session management approach.

Likely GitHub will be a good starting point.

There is no single answer for this, as there are many factors to consider.

Also, if you're running multiple site instances/copies, then be sure to look at how WordPress handles multi-instance, session management.
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
This depends on what you have access to in terms of the servers in question.

The latest trend for solving this problem is to use JWT (JSON Web Tokens). With JWT authorisation you can do third party authentication.

When you authenticate with your primary server the server generates a JWT - this is stored in localStorage on the client. With each request to the server the token is added to the header of the request - where it is retrieved on the server side and validated.

When you need to authenticate to a third party you still include the token in the header - the second server can then authenticate the token locally or make an API request back to the primary server to validate the token.

More on JWT's here https://jwt.io/

Author

Commented:
Is there a way to do it with file_get_contents, and I send the email and password to the other url
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

David FavorFractional CTO
Distinguished Expert 2018

Commented:
This all depends on your session management.

With WordPress, how this is done is all clearly defined.

With custom code, only the developer knows the code they've written, so the developer will be the person to answer this question.

Likely this will include both ends - initial site where login occurs + then other sites.

You might be able to accomplish this via URLs + again this depends on code involved.

When clients ask me about this type of infrastructure, I tell them to use WordPress + write their code as plugins, to leverage WordPress session management... because... session management is a bear to get working correctly in all situations.

Author

Commented:
I have this so far:
<?php 
session_start();
require "new_connection.php";

$email = $_SESSION['email'];
$user_id = $_SESSION['id'];
file_get_contents("http://blog.jasmine.com/?e=$email");
if($_SESSION['send_to'] == 1)
{
		header("Location: ../profile");
		exit();
}else{
	
	header("Location: ../deliveries");
	exit();	
}

?>

Open in new window

But its not sending to blog.jasmine anything because if I do it from the url in my browser to see if the blog site is accepting it does, but when I do it through here, it does not.
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
You need to understand how sessions work - you cannot share them between two servers.

When you start a session a cookie with a session_id is linked to your client. To establish a session on another server would require creating the session there and then having that site put a cookie on the client.

The only way to do this reliably is with a shared token that both sites can validate and that is included in all requests from client.

Author

Commented:
Yes I did that the other site to accept the session when the url is for example:
http://blog.jasmine.com/?e=test@mail.com

It works but im having troubling sending it, my file_get_contents is not sending that url to the browser.
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
my file_get_contents is not sending that url to the browser.
file_get_contents reads in a file - it does not have anything to do with the browser.

If it was possible to pass a session across in a URL every single site on the net would be compromised.

The only way to share sessions is for both servers to char a token that is not cookie based as cookies are bound to domain and protocol.

Author

Commented:
there isnt a way to trigger a url (go to it without actually going to it)?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
Read my previous update.

Whether you can trigger this with a URL request or not depends heavily on how session handling code is implemented for each site.

Engage developers which wrote code for each site involved to determine if this will work or not.
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
there isnt a way to trigger a url (go to it without actually going to it)?
This does not make sense. How do you knock on a door without knocking on it.

To establish a session with another computer you need either to visit and authenticate with that server or used a token based security protocol.

Author

Commented:
The other server of the other site, accepts the session, I wrote a code for it to accept the session given in the URL. I just need a way to pass it when the user clicks the button
Most Valuable Expert 2017
Distinguished Expert 2018
Commented:
The session is stored in a file on the local system. Are you saying you want to get the session file and send it to another server?

I still don't know why you want to do it this way.

Take a look at Auth0.com - it provides a service for exactly this setup - token based authentication allowing for Single Sign On.
David FavorFractional CTO
Distinguished Expert 2018
Commented:
If you wrote the code to access a session via URL parameter, then your entire question seems confusing.

If you wrote the code to accept a URL based session, then just pass the session in the URL, based on what your code expects.

Be sure all sites accepting URL bases sessions are SSL wrapped, else anyone will have access to your site.

Author

Commented:
Thanks for clearing everything up!
Most Valuable Expert 2017
Distinguished Expert 2018

Commented:
You are welcome.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial