Welcome Guest, Not a member yet? Register   Sign In
Transfering sessions across domains
#1

[eluser]LinkFox[/eluser]
Ello'

Having a bit of trouble here and was wondering if someone could lend a hand.

I am with fasthosts and tied into an unpleasant contract.

Fasthosts being about as useful as ..well something not very useful have their SSL set up on a different server (different domain, FTP etc) this causes me issue when a user logs in to my site and then clicks on the account page in order to look at the account (which needs to be hosted on SSL).

Is there anyway in PHP(CI) to transfer a session across multiple specific domains? I am using a DB to store my session information.

Thanks in advance for your help.

David
#2

[eluser]m4rw3r[/eluser]
My guess is that it would be possible to use the same db server and database for both servers, then the same session data should be available.
#3

[eluser]LinkFox[/eluser]
[quote author="m4rw3r" date="1226960954"]My guess is that it would be possible to use the same db server and database for both servers, then the same session data should be available.[/quote]

Hi Thanks for your reply.

The issue is that the cookie containing the session ID does not exist for the "other" URL.

How would I go about setting up the session cookie to have multiple domains in it? if that's possible at all?

Thanks
#4

[eluser]The Wizard[/eluser]
would be interessted too
#5

[eluser]simshaun[/eluser]
You could send the session_id in the url across the domains (only needs to be done once).

Although this opens up the possibility for session hijacking, it's the only way I know.

Also, I think you have to use PHP's native session library instead of CI's, because AFAIK you can't tell CI's what session_id to use when starting the session.

Example:

Domain A -
Code:
$sess_id = session_id();
$this->output->set_header("Location: http://www.website2.com/file.php?sid=" . $sess_id);

Domain B -
Code:
if ($this->input->get('sid') !== FALSE){
    // You might want to perform some simple validation here.
    session_id($this->input->get('sid'));
    session_start();

    // If you want to get the SID out of the url, you need to "refresh" the page here with another Location header (or use the URL helper's "redirect" method).
}
#6

[eluser]dcunited08[/eluser]
Domains are set up to keep cookies semi-secure. My suggestion is to follow the suggestion in the link above but, instead of using the id, use a one-time key to the session in the database with a timeout feature. That would limit the possibility of session hijacking.
#7

[eluser]The Wizard[/eluser]
currently im developing a system,
when a user registers account, i also generate a secure key

$key = md5( uniqid( rand( 100, 99999999 ), TRUE ) );

and enter it into the database too,
if the user will try to login to the remote site, the
remote site will redirect him to the main site, if the main
site session is still active, he will be forwarded to the remote
site WITH his secret key (to a special URL) the site will check
the secret key, will look it up the database, retrieve the info
setup another session for those site, and thats it Smile
#8

[eluser]simshaun[/eluser]
The problem with that is all it would take to spoof "logging in" to someone else's account is to know their secret key. The secret key is not "invisible" to the user if they want to see it. Because it's not invisible to them, it's also not invisible to someone that's got access to his or her computer.

For example,
I gain access to a person's computer and sit there with a tool that catches all HTTP headers.
Person goes to the website and logs in, which forwards them somewhere else with their secret key in the url.
Presto, that url pops up in the HTTP headers and I now have the secret key.
I copy/paste the url into my browser and I'm now logged in.

.... That's also the problem with having the session_id in the url.. session hi-jacking. That's why you should regenerate session ids.


Read All of This: http://phpsec.org/projects/guide/
#9

[eluser]The Wizard[/eluser]
yes, sure.
but for a starting up web page, for another solution to be found,
it could be sufficient.

lets say, the ID got stolen

so we add a basic IP check, IF the secret key gets compremised and
someone try's to gain access, we denie the access, and re-generate
another key.

that would hopefully, or at least try, to prevent this.


i also thank you very much, for the url.
i will read it
#10

[eluser]simshaun[/eluser]
Ah yes, you are getting closer Smile

You can't rely only on the IP.

Those articles should be a good help in securing your apps.

Don't rely just on that phpsec though.
Branch out and do some googling Smile
There are MANY great sources out there that discuss ways to make your site secure.




Theme © iAndrew 2016 - Forum software by © MyBB