Is it possible to setup your two different project on a same domain and same server but different SESSION variables and point to different folders?
One is on maindomain.com (share session variables with subdomains except dashboard.maindomain.com) and one is 'dashboard.maindomain.com'
This implies that session variables must be shared between the primary domain and any subdomain, except dashboard.
Yes, it's possible.
In theory, it should be as easy as just properly configuring different cookie domains, as well as having separate storage (e.g. different file directories, in case you're using file-based sessions).
However, because cookies for example.com would be valid for and sent by clients to all subdomains, make sure to use a different session cookie name for your dashboard. subdomain. That way, it won't attempt to process cookies that weren't intended for it.
In addition, that's a security concern because your dashboard. app will now effectively be able to sniff cookies that are only intended for your main domain and other subdomains.
So, while technically possible, it might not be a good idea to do that.
Related
I run a website which has many different subdomains. We are introducing a new download server which is using a subdomain of the main domain. The way we normally check user information is with cross subdomain cookies etc but I know this wont work because they of the different server and I wondered what would be the best way of checking if the user is logged in etc on the main server.
What I am wanting to do is the following
Sub1.domain.tld = main server
When you want to download a file, it will point you to the appropriate server where the files are stored
Sub2.domain.tld = download server
Is there any way to keep or check if the user was logged in please.
The way we normally do it with cookies accross subdomains is
setcookie('LoginVariable1', $LoginVariable1, $expiretime, '/', '.domain.tld');
setcookie('LoginVariable2', $LoginVariable2, $expiretime, '/', '.domain.tld');
Cross domain cookies will exactly work in your case. The only case they would not work would be if you have "www.somedomain.example" and "download.someotherdomain.example", because you cannot define a cookie to be cross-domain for the top-level domain "example".
So this boils down to have a cookie that tells all servers something like the session id of the user, or an authentication token he got during login, and then all servers must ask some central authentication service whether this session or token is currently logged in.
If the subdomains map to different servers, you have two ways as I see it.
1) You can share the directory that php writes sessions to on server A and point server B there.
2) You can use database sessions and have both servers connect to a single database to verify/retrieve the session.
In both cases, you end up with a single, central place to store sessions.
I have a homebrew CMS installed on two different web servers. Each maintain the same code. I have had a really annoying problem when I try passing $_SESSION variables between different domains.
My CMS is on domain1.com. The website it is controlling is on domain2.com. My system passes all the session variables for the login information from domain1.com to domain2.com via a url link (domain1.com has a link like this: http://domain2.com?sessionId=1gh...)(sessionId is generated by session_id()). domain2.com retrieves the session id and does session_id($_GET['sessionId']) to set the session and grab the variables. It then proceeds to show a bar at the top with admin features.
This system works well on one of my hosts, as well as my localhost. But I recently transferred to a different host and installed my CMS with the same code with success. Everything works except for this feature. When I click on the link and try to set the session_id, the session_id changes, but the $_SESSION variables are removed. When I return to my CMS, I have to relogin. Somehow on this host, changing the session_id deletes the $_SESSION variables.
I have never liked session variables and I would not use them if I were to start again (I would probably use plain cookies). But I really need to figure this out. The host that it works on is Bluehost, with both domains hosted by Bluehost. The host that it does not work on is [EDIT]ByteHost, and the domain registrar is Godaddy.
Here is some example code from domain2.com:
...
if ( $_GET['sessionId'] )
{
session_id($_GET['sessionId']);
}
session_start();
echo session_id(); // returns the proper sessionId passed through the url
print_r($_SESSION); // does not work. returns array()
...
I can guarantee that the $_SESSION variables existed before, because I was still logged into my CMS.
Any ideas why session variables work on 1 host, but not on another?
I tried replacing the php.ini file with the working host one. Problem was still there.
Thank you for your time!
UPDATE
I ended up removing this from my CMS. Now, I just pass the login details over the url and it logs the person in. It works a lot cleaner.
Here are some reasons why this may not be working:
different physical server
different account for each domain (even if it's the same physical server)
different apache/php daemon for the domains (some shared hosting sites will create a separate directory for each domain, and then restrict apache from sharing information between domains. This will also have the effect of preventing session information from being passed. Think about it - do you want someone else's domain on the same hosting provider to have access to YOUR client's session info?)
configuration (apache or php), or .htaccess rules
Here is what I will recommend: stop doing this. This is a great opportunity to fix a very serious security flaw in your code. By the time you diagnose it with the hosting provider, you could probably just rewrite everything you need using HTML5 storage or secure cookies.
My guess is that the hosting provider is smart enough to protect session information form being stolen from another domain. But in either case, I strongly recommend you change the code so that it does not need to steal session information from another domain.
To have a session on multiple domains you would need to have the session id passed in the url instead of the sessions cookie as cookies only work on a single domain basis.
Using subdomains would solve the problem if they're not separate customers a.domain.com and b.domain.com
I have a server on which I am using dokuwiki to host both a homepage as well as a wiki. The server is available under www.domain.com and the wiki is available under wiki.domain.com. Internally both subdomains are served from different directories.
However this means, that everybody who wants to sign up has to sign up for the both domains and manage a duplicate set of user accounts for both subdomains.
What I would like is to have a system, where anybody can sign up on both pages and only has to log in in any of the domains and get access. ACL should still be managed separately for both domains, since I might use namespace names multiple times.
I looked through the list oft dokuwiki auth plugins, but I was not able to find anything usefull for this purpose. Another idea would be to just soft- or hardlink the auth data directory in the two installations. However this would still mean users would have to log in multiple times. Also I am not sure whether my hoster actually allows such directory links, or if this might mess up the two installations.
Is there any other way to create such a setup?
A DokuWiki farm setup might help with having the same user database for both sites. Symlinking the user file is another way.
More complicated is to share the cookies between both domains. I'm not sure how to approach this best. Maybe others can offer some ideas.
Well since this is on the same server just across your various subdomains I would imagine you would want to store the user info including logins in a shared database so that no matter which app/subdomain you insert their registration data and query for their login info from the same database. Then it's a matter of using PHP sessions for keeping track of if they are logged in across subdomains. There is already a length stack on how to achieve that here:
PHP Sessions across sub domains
Try setting the Cookie Domain to .yourdomain.com
This means your browser will deliver cookies to subdomains of yourdomain.com.
So cookies will beshared among www.yourdomain.com and wiki.yourdomain.com
I have two servers: the live server (mydomain.com) and the QA server (qa.mydomain.com). When I set cookies I set the domain as respectively ".mydomain.com" and ".qa.mydomain.com". One of these cookies, called "session_id" is used for authentication and login purposes. It is obvious that a cookie for one domain will not work on the other. However as I am prepending the dot to the domain PHP sometimes reads the ".domain.com" cookie on the QA server with the result that I am not able to login.
Are there ways to have PHP read the correct cookie?
Prepending the dot means it is valid also for all subdomains. So the .mydomain.com cookie is also valid for the qa.mydomain.com.
Now it's not just PHP reading the cookie; but also the browser sending the cookies based on which domain they are valid for.
Since you're in specific talking about the session cookies, you might want to look into using named sessions. For what I can remember, the name of a session is also used in the name of the cookie. Meaning you'd have a different session name for your live and test environment.
Otherwise removing the dot would also do the trick; but I'm guessing you do want it to work for www.mydomain.com, so I don't think it's a solution ;).
See http://se2.php.net/setcookie
The domain that the cookie is available to. To make the cookie available on all subdomains of example.com (including example.com itself) then you'd set it to '.example.com'. Although some browsers will accept cookies without the initial ., ยป RFC 2109 requires it to be included. Setting the domain to 'www.example.com' or '.www.example.com' will make the cookie only available in the www subdomain.
You say:
It is obvious that a cookie for one domain will not work on the other.
when .mydomain.com should match all subdomains. I would remove the dot.
PHP reads all the cookies sent by the browser. Since every .qa.domain.com host is also a .domain.com host, it's normal to get all the cookies.
You'll need to either change the domain names, or change your PHP code in order to be able to identify the cookies that should be ignored from the ones that shouldn't.
I dont think that it is a PHP issue. The web browser is supposed to send the correct cookie to the appropriate web server. Some browsers may be implemented in such a way that sub-domain cookies are also sent back on main domain request.
I'm trying to maintain a web site spread across two domains with the same host (one is actually in a subfolder of the other):
www.a.com -> /.../public_html/
www.b.com -> /.../public_html/b/
I have one script on a.com, let's call it public_html/readcookiedata.php, which reads in some session variables from a cookie. Another script on b.com, let's say public_html/b/index.php, needs to also read this cookie.
Right now index.php tries to require_once(../readcookiedata.php).
This works great if I visit www.a.com/b/index.php: the cookie is read OK.
However, if I browse to there directly, www.b.com/index.php, the cookie isn't read.
What's the best way to fix this problem? Is there a way for a.com to allow b.com to read its cookies? Or some way to configure the host to treat all requests to b.com as if they were for a.com/b/ instead?
No. Cookie security is built into the web at a browser level; browsers literally won't allow you to read data for cookies from other domains on pages served by a different domain.