Posted by C. on 09/25/07 12:01

On 24 Sep, 21:59, "laredotorn...@zipmail.com"
<laredotorn...@zipmail.com> wrote:
> On Sep 24, 3:51 pm, "C." <colin.mckin...@gmail.com> wrote:
>
>
>
> > On 24 Sep, 20:58, "laredotorn...@zipmail.com"
>
> > <laredotorn...@zipmail.com> wrote:
> > > Hi,
>
> > > I'm using PHP 4.4.4. I have two domains --www.mydomain1.comandwww.mydomain2.com. Both point to the same IP address. I have two
> > > pages on that IP -- first.php
>
> > The solution is to suck in pages from both mydomain1 and mydomain2 at
> > the point where the session is established. This could be done with
> > frames or by redirection. Life's probably a lot simpler if you pass
> > across the generated session id from one to the other, but you need to
> > be wary of session fixation. Otherwise you'll probably need to write
> > your own session handler to maintain 2 sessions alive and in sync.
>
> > HTH
>
> > C.- Hide quoted text -
>
> > - Show quoted text -
>
> Thanks for your response, C. Regarding
>
> > Life's probably a lot simpler if you pass
> > across the generated session id from one to the other
>
> hate to be dense, but how do you do that? - Dave

When you start the session on, say domain1, include an iframe with a
hidden div, and pass the sessionid to a page in domain2 which sets a
session cookie:

e.g. www.domain1.com/logged_in.php...

<?php
if (session_id()=='') {
create_new_session=true;
}
session_start();

// .... start doing the page header and body...

// ... at the very end of the page, before the </body> tag....

if (create_new_session) {
session_commit();
$url="www.domain2.com/sync_session.php?usesess=";
$url.=base64encode(encrypt(session_id() . '/' . time(),
's3cr3t'));
// I've not spelled out how to use mcrypt
print "<iframe src=\"$url\" style=\"width:10px;height:5px\"></
iframe>\n";
// nor added the css to make it invisible
}
?>

.....and www.domain2.com/sync_session.php:

<?php

$request_session=decrypt(base64decode($_GET['usesess']), 's3cr3t');
list($use_id,$requested)=explode('/',$request_session);

if ($requested<time()+10) {
// allow a 10 second window to reduce probability of replay attacks
// although a more complete solution would be to set a session
variable in domain1 as a visa and
// reset it here.
set_cookie(session_name(), $use_id);
print "OK, using same session id";
} else {
print "Invalid sync request";
}

?>

....or something like that. Not tested - YMMV.

C.

• Next in forum: Re: php & html editor
• Prev in forum: Re: Good editors
• Thread view: Re: keeping session data across two domains

[Reply to this message]