23

I'm not sure if this is even possible.

My company has their main site that accept credit cards and other payment information. They also have other sites that are directly related to events we host. For example our main site is something like:

http://www.etm124biz.com

But have another site specifically for an annual event:

http://www.etm124annualgala.com

My 'event' site is handling registration and saves to our database, but our main site handles the credit card processing. With current purchases handled on the main website, sessions are used to pass data to the payment/cc screens.

Without having to change my payment code (to accept, say, $_GET parameters), shouldn't my $_SESSION variables be passing over?

Example:

$_SESSION['s_address1'] = $_POST['address1'];
$_SESSION['s_address2'] = $_POST['address2'];
$_SESSION['s_city']     = $_POST['city'];
$_SESSION['s_state']    = $_POST['state'];
$_SESSION['s_zip']      = $_POST['zip'];

header('Location: https://www.etm124biz.com/payment.php?oid=' . $oid . '&src=conf&id=' . $seq);

My payment.php page looks for the address session variables above.

etm124
  • 2,100
  • 4
  • 41
  • 77

4 Answers4

27

Cross-domain session ids

Session ids are passed around using cookies by default. Since your websites are on different domains the session cookie does not transfer over, so that's one thing that prevents cross-domain sessions from working.

One technique to have the session ids transfer over is to append them to the query string of all your requests (PHP even has some degree of built-in support for this). However, this way of doing things has many drawbacks -- the most important being that people copy/paste URLs all the time, with all that implies about revealing valid and reusing invalid session ids -- and therefore is not recommended.

A much better approach would be to use Javascript to make cross-domain requests across all of the interested domains (which would need to be cooperating in this of course). This way you can seamlessly transfer your session id across as many servers as you need to.

Shared session data

Even if the cookie were not a problem, you would need to have the session data on some storage commonly accessible by all your servers. The default storage is the local filesystem, so again this is something that needs to change if you want cross-domain sessions.

A simple solution to this problem would be to use a custom session handler that stores the data on a database or other globally accessible store.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • @hek2mgl: Wrong in what way? – Jon Jan 30 '13 at 18:58
  • Session ids can be transferred as GET vars also. Session can be saved in databse. Read my answer – hek2mgl Jan 30 '13 at 18:59
  • @hek2mgl how so? Jon and Intrepidd are basically saying the same thing. – etm124 Jan 30 '13 at 18:59
  • @hek2mgl: Of course they can. But that makes the answer *incomplete*, not *wrong*. – Jon Jan 30 '13 at 19:00
  • @hek2mgl, read the second part of his answer. He said the same thing you did. "...you would need to have the session data on some storage commonly accessible by all your servers." – etm124 Jan 30 '13 at 19:00
  • Give it a headline, copy it to top and you'll get +1 ;) – hek2mgl Jan 30 '13 at 19:02
  • Thats too important for web applications to be answered wrong or incomplete. Have to leave (must hurry). Will have look later. See you! – hek2mgl Jan 30 '13 at 19:04
  • 5
    @hek2mgl: I 'm sorry, but that's bollocks. If you really believed that then you wouldn't have left a two-line answer to this "too important" question. – Jon Jan 30 '13 at 19:06
  • 1
    bollocks is to drop tons of text that say it is 'impossible' even if it is possible and (well) known since php 3.x.x + there are several workarounds – hek2mgl Jan 30 '13 at 20:49
  • -1 Very wrong. There are major security implications of transferring session ids in an URL or via JS. This leaves everything open to any attacked that can get the cleint's request URI... – Borislav Sabev May 11 '17 at 08:24
  • @BorislavSabev I'm not sure I explained well enough. Session IDs in URLs are bad *because URKs can be shared by people who don't realize the security implications* (which may or may not be a problem depending on lots of other factors), yes; which is why I am explicitly recommending against it. And what do you mean "via JS"? It's HTTP requests with the same information in every case, JS or not is completely irrelevant. – Jon May 11 '17 at 08:58
6

It's late to answer this question but as I have faced this problem and could not find the solution even after tens of hours and searching google, stackoverflow all over but yet no success. But now finally I have figured out the problem and the solution for it.

SERVER SIDE

For Cross-Domain PHP Sessions, we need to do following things

Step 1

First of all, we need to set these lines in .htAccess in our main domain where the php receives the request

SetEnvIf Origin ^(http?://m\.example\.com(?::\d{1,5})?)$   CORS_ALLOW_ORIGIN=$1
Header append Access-Control-Allow-Origin  %{CORS_ALLOW_ORIGIN}e   env=CORS_ALLOW_ORIGIN
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Allow-Credentials true
Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

These above lines tells to allow requests from http://m.example.com only. Note that I have set http. You can set https if you have SSL Connection.

Step 2

You must allow PHP to share same sessions for different subdomains before session_start()

ini_set('session.cookie_domain', '.example.com');
session_start();

If you have access to php.ini then set it once there then you won't need to set above lines in your PHP Files.

CLIENT SIDE

And last, you must tell the Browser to make request with Cross-Domain. As in JQuery

$(document).ready(function()
{
  $.ajaxSetup({
    crossDomain: true,
    xhrFields: {
        withCredentials: true
    }
  });
});
Airy
  • 5,484
  • 7
  • 53
  • 78
2

This question does explore the subject a lot.

Danilo Kobold
  • 2,562
  • 1
  • 21
  • 31
0

Assume you have both domains as virtual servers on one machine and you havent called session_save_path() (or you have called it with the same directory on both servers), you can share sesssion using session_id('..');

For example if you have 2 domains, origin1.localhost and origin2.localhost:

$set = null;
if(isset($_GET['sharesession'])) {
        $set = session_id($_GET['sharesession']); //call before session_start()
}
session_start();
var_dump(session_id()); //show current session id
var_dumP($_COOKIE); // cookie send by browser, changes after second reload

var_dump($_SESSION); //filled after second reload as its values are assigned in the code below

if($_SERVER['HTTP_HOST'] === 'origin1.localhost') {
    $_SESSION['origin1'] = true;
} else {
   $_SESSION['origin2'] = true;
}


echo '<a href="http://origin1.localhost?sharesession='.session_id().'">origin1.localhost</a><br />';
echo '<a href="http://origin2.localhost?sharesession='.session_id().'">origin2.localhost</a>';

Of course, you do not have to use only GET but also POST or Javascript cross-domain requests to send the session id.

Petr
  • 1,159
  • 10
  • 20