2

There are 2 domains on one server. If user is logged on one domain he has to be logged on the another domain too. How to make cross-domain authorization in php on one server? I solved it for sub-domains, but can't solve for different second-level domains.

Alexey
  • 337
  • 6
  • 17
  • Research SSO --> Single Sign On – Dennis Haarbrink Oct 17 '12 at 09:04
  • It's complicated.First,you must have the same user properties,then your user must login on 1 website and you have to set the cookie; the cookie must contain a unique hash key.How will you obtain the common user properties?You either have a common database for all the websites, or by using a API.You must take in consideration that the user might use multiple web browsers and the stuff gets nasty here;You loose control of the pre setted cookies;if the user has logged in using chrome, and now uses mozilla,you cant do anything;You can't access cookies from x.com if it has been set by a.com domain! – Ionut Flavius Pogacian Oct 17 '12 at 09:27
  • A similar problem was discussed here on [stackoverflow](http://stackoverflow.com/questions/12711626/session-id-not-getting-session-variables). There are ways to do it, but you need to be careful about hijacking sessions and lock it down well. – nickhar Oct 17 '12 at 09:33
  • ideas: http://stackoverflow.com/questions/342378/cross-domain-login-how-to-login-a-user-automatically-when-transferred-from-one – Ionut Flavius Pogacian Oct 17 '12 at 09:37
  • but if we are talking about a redirect, from the main website, if the user is logged in, this is another story, and this is something that can be done; – Ionut Flavius Pogacian Oct 17 '12 at 09:43

2 Answers2

2

The main problem is that the cookie isn't send by the browser if you're on another domain.

You can't make the browser to write a cookie for another domain, too.

What can be done is send a unique token to the other domain, and when validated, write a cookie on the second domain. That can be done when authenticated, using an iframe or a double-redirect (iframe cookies are blocked by some browsers, like safari). The unique token will have to be validated by the second domain, and then invalidated (removed) so it can't be used again by another user (man in the middle attack).

blue112
  • 52,634
  • 3
  • 45
  • 54
  • how can you access a cookie set by the a.com domain, from the b.com domain ? you may see it using mozilla, but you cant access it – Ionut Flavius Pogacian Oct 17 '12 at 09:32
  • You obviously can't, it would be a huge security leak. That would mean for example that you can access stackoverflow.com session cookies from hacksite.com... Quite messy. – blue112 Oct 17 '12 at 09:40
  • you can see the session data using mozilla, but it is no use for you, as you would already know all your data, because you wrote it :)) – Ionut Flavius Pogacian Oct 17 '12 at 09:42
1

You must research for CAS and implement it depending on what framework you are using. For example, in my Zend application I would use Zend_OpenId and Zend_Oauth .

bogatyrjov
  • 5,317
  • 9
  • 37
  • 61