Posted by Jerry Stuckle on 06/10/07 19:52

Samir Chouaieb wrote:
> Jerry Stuckle wrote:
>> Samir Chouaieb wrote:
>>> Hello,
>>>
>>> I am trying to find a solution to a login mechanism for different
>>> domains on different servers with PHP5.
>>>
>>> I have one main domain with the user data and several other domains
>>> that need a login to show data.
>>>
>>> I want the user to login only once when he visits any of my domains.
>>>
>>> The first idea is had is to use the same session for all domains. Is
>>> this possible?
>>>
>>> Any help or hint is appreciated.
>>>
>>> Thanks in advance
>>>
>>> Best regards
>>> Samir
>>
>> No, it's not. Cookies are designed to be domain specific. For
>> security reasons, the browser won't send a cookie belonging to one
>> domain on to another domain.
>>
>> If all of these sites are so closely related, why are they different
>> sites?
>>
>>
> Hi,
>
> thanks first of all for your answer.
>
> > No, it's not. Cookies are designed to be domain specific.
> > For security reasons, the browser won't send a cookie
> > belonging to one domain on to another domain.
>
> You took only the cookies into consideration as a way to store
session-ids.
>
> > If all of these sites are so closely related, why are they
> > different sites?
>
> Take as an example a set of partner online shops that have a central
> login mechanism.
>
>
> If the login pages of the online shops call a dedicated php-page on the
> main domain that achieves the login if not done aready and gives the
> session-id back to the referer page in the url or as POST variable.
>
> if the different shops have the same php-path for session variables on
> the main-domain server, then they will be able to read the content of
> the session.
>
> Does this make a sense. Or am I dreaming?
>
>
> Regards
> Samir
>

(Top posting fixed)

No, I'm not talking about cookies which contain session id's. Any
cookie is domain specific. As will be the sessions, if you're smart.

Anything else like passing info back and forth in $_POST or $_GET
variables can be very easily fudged. And even if they all have the same
path on the server, there is a huge amount which can go wrong, as well
as huge potential security holes. For instance, the refer page can be
easily falsified. It's not hard at all.

I wouldn't even try it across multiple domains like this. And I ask
again - if these are so closely related, why aren't they the same
domain? They should be, IMHO. How many other sites do you see where one
signon covers multiple domains?

And please don't top post.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

• Next in forum: Re: Easily run PHP scripts in GUI mode in Windows - no hassle, no webserver needed
• Prev in forum: |OT| GG broken signature (Was Re: Open Source Geographic Location LIBs?)
• Thread view: Re: maintain a single session across multiple servers

[Reply to this message]