6

I am having an issue that I hope you can help with. Let's say I work for a hypothetical company called "Blammo", and we have a hypothetical product called "Log". I am trying to set up a system where someone could log in to logfromblammo.com and order some of our products, and then when they are ready to purchase go to checkout.blammo.com to pay for their order. Eventually I want to allow for Blammo to launch a new hypothetical product with it's own website: rockfromblammo.com, and have that site also able to share a session with checkout.blammo.com so that users can have a single shopping cart across both product websites.

Naturally the hypothetical scenario described above is not how my company actually works, but it is a fair example of what I need to do. We have an existing user database, and we have ways to authenticate any of our users on any of our sites, but the goal I have is to allow users to cross seamlessly from one site to another without having to re-authenticate. This would also allow for us to seamlessly transfer data such as a shopping cart to the checkout site.

I have (briefly) looked at solutions such as OpenID, but I need to be able to integrate whatever solution we have with our existing authentication method, which is not terribly robust. Is there any good way to do this through PHP alone?

Brendon Dugan
  • 2,138
  • 7
  • 31
  • 65
  • So basically your site has multiple 2nd level domain names instead of `product.site.com` kind? – Ja͢ck Dec 10 '12 at 18:16
  • 2
    I think your best solution here is to have rockfromblammo.com redirect to rockfrom.blammo.com -- security is a big issue in things like this, and giving access to a shopping cart to two different domains opens the risk of some third party figuring out how to do the same thing. – Blazemonger Dec 10 '12 at 18:20
  • @Blazemonger Its not just a security risk, it cannot be done across domains. It can only be done cross subdomains! – Ben Carey Dec 10 '12 at 18:25
  • 1
    @BenCarey Oh, I'm sure it COULD be done. It would just require rewriting the entire shopping cart logic and render the system completely insecure. – Blazemonger Dec 10 '12 at 18:36

5 Answers5

9

What you could do is create "cross-over" links between the sites to carry the session over.

The simplest way is to pass the session id via the query string; e.g.

http://whateverblammo.com/?sessid=XXYYZZ

Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.

That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.

Note that using mcrypt() on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.

You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:

$_SESSION['extids'] = array();

$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;

$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);

When received:

list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
    // okay, make sure it can't be used again
    unset($_SESSION['extids'][$ext]);
}

You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.

Ja͢ck
  • 170,779
  • 38
  • 263
  • 309
  • 1
    This is an old answer, but it's worth noting there is a potential security issue here if the user happens to share their screen while transiting the domain-boundary. The token would be exposed in the URL, which could then be used to hijack the session, if it's at all long-lived. – Yona Appletree Dec 10 '19 at 00:39
  • that potential security issue is already mentioned in the answer, though? – Ja͢ck Dec 10 '19 at 04:08
  • Ah, the bit about it being used once. True, I missed that. Though these days many systems use stateless servers, so it is tricky to keep track of use count without using the database or other external storage. – Yona Appletree Dec 10 '19 at 20:48
4

It can be done, but not with simple cookies and it is not trivial. What you are after is a single sign on (SSO) solution, similar to Google's which share's login's across i.google.com, gmail.com, youtube.com etc.

I have used OpenID to implement this in the past.

The basic idea is to have a single authentication domain (Provider), whenever one of the sites (Consumer) wants to authenticate the user, they redirect them to the authentication domain. If they aren't signed in, they can log in using whatever details you require.

If they are already logged in (even from a different target site), they don't need to log in again.

The user is then sent back to the target site with the addition of a token in the url. This token is used by the target site's server to verify the user is authenticated with the authentication server.

This is an extremely simple explanation. Doing this is not difficult, doing it securely is much more so. The details of generating and authenticating the tokens securely is the challenging part. Which is why I suggest building upon a well designed system such as OpenID.

Brenton Alker
  • 8,947
  • 3
  • 36
  • 37
3

In cross domain Ajax, you may find that cookie and, followingly, session are lost for cross domain requests. In case you'll be making ajax calls from you site example.com to your subdomain s2.example.com you will need to use properties in headers for PHP:

header('Access-Control-Allow-Origin: https://example.com');
header('Access-Control-Allow-Credentials: true');

and in JS you going to add

xhrFields: { withCredentials: true }

Otherwise cookies are not passed and you can't make use of session on your subdomain.

Full JS request to subdomain will be without lost of session:

$.ajax({
    url: "https://s2.example.com/api.php?foo=1&bar=2",
    xhrFields: { withCredentials: true },
    success:function(e){
        jsn=$.parseJSON(e);
        if(jsn.status=="success") { 
                alert('OK!');
        } else {
                alert('Error!');
        }
    }
})
K.Alex
  • 91
  • 3
2

You need to set the session cookie domain like so:

session_set_cookie_params($lifetime,$path,'.site.com')

This will only work if the sites are on the same domain name including TLD (Top Level Domain).

See here for more info

Alternatively, if you are looking at trying to access sessions cross domains, as in from site1.net to site2.com, then this cannot be done.

Ben Carey
  • 16,540
  • 19
  • 87
  • 169
  • This is the correct answer. This is from the [php core](https://www.php.net/manual/en/function.session-set-cookie-params.php). More detail is [on this stackoverflow](https://stackoverflow.com/questions/59534999/how-to-tell-php-to-use-samesite-none-for-cross-site-cookies). `session_set_cookie_params([ 'lifetime' => $currentCookieParams["lifetime"], 'path' => '/', 'domain' => $cookie_domain, 'secure' => "1", 'httponly' => "1", 'samesite' => 'None', ]);` – Richard Tyler Miles Aug 24 '23 at 21:55
0

If it's OK for your site to rely on Javascript to function, you could presumably do something like the following:

Say you have a session on blammo.com and you want to access it from rockblammo.com. On the rockblammo.com page you could load a <script> from blammo.com/get-session.js, this will (from the server side) return the session-id. Once that returns, you insert a new <script> tag in the page, pointing to rockblammo.com/set-session.js?sessionId=XXX, where XXX is the session-id you just got from blammo.com. Now, on the server side of rockblammo.com, the session cookie is updated and set to this session-id. Going forward, the two pages will now share the same session-id, and assuming they have access to the same session store on the backend, they would be in sync.

E.g. the output from blammo.com/get-session.js would be:

var sessionId = "XXX";
var s = document.createElement("script");
s.src = "/set-session.js?sessionId=" + escape(sessionId);
document.body.appendChild(s);

The output from rockblammo.com/set-session.js would be blank, but would include a http header, such as:

Set-Cookie: sessionId=XXX

If you prefer not to rely on Javascript, you could probably do the same by redirecting forth and back between the two sites and passing the sessionId in a query-string parameter (GET param).

troelskn
  • 115,121
  • 27
  • 131
  • 155