I got a system, where each client has their own subdomain. The users can log into the system directly from their own subdomain, but I want to add the opportunity to login directly from the domain, and afterwards send them to the subdomain.
It is important that the session is only set on the actual subdomain, and not on any other subdomains or the main domain.
All login-processes are made through jQuery/AJAX.
I've tried the following:
On domain.com a user fills out the login-form, and a call is made to domain.com/ajax/front-login.php
From this AJAX-file the user is validated, the subdomain that the user belongs to is found, and a PHP POST-call (through file_get_contents) is made to subdomain.domain.com/ajax/sub-login.php. This file validates and sets a SESSION.
From the callback it looks like everything is done correctly, but the session is not set on subdomain.domain.com
I hope it makes sense. Any suggestions?
Add ini_set('session.cookie_domain', $subdomain.'.domain.com'); to the beginning ofsubdomain.domain.com/ajax/sub-login.php, where you feed $subdomain with it's name.
Remove session_start() from front-login.php or atleast wrap it in a if () statement if there is no subdomain.
Related
I tried to set cookies for embedded shopify app in php.
setcookie("user", 'test#domain.com', time()+3600, "/", "example.com", 1);
It works properly but if we are logged in with 2 shopify sites and if both opens the apps together in same browser, cookie value gets updated and same cookie gets set for both which causes same data to show in both places.
Cookie/Session works based on domain and will be unique.
suppose your app domain is example.com and you save logged in domain in session as
$_SESSION['logged_in_store'] = 'store1.myshopify.com'
when the second store login to your app this variable will simply updated as single session will work on this domain.
As a solution you can make use of wildcard subdomain
enable wildcard subdomain from your DNS.and when store login to your store redirect them to unique subdomain..... like store 1 will run on below subdomain
store1.your-app-domain.com
store 2 will run on
store2.your-app-domain.com
so on.. each store will run on different wildcard subdomain. and this will resolve your session / cookie conflicts.
Hope this will help.
I use OAuth to authenticate at an external website. Everything is okay but the session variable misses after redirecting from external websites.
Summary:
I store a session var in my website then go to login page of other website. After logging in and confirming, it redirects to my callback, when I check the previous session var, it misses! How to fix it?
I tried to call session_start() everywhere I use session but it doesn't work. Of course I enabled session in "php.ini" and enabled cookie in browser. :) I debugged but can't find the reason out.
Update:
After storing my session var, I do a request like this:
http://mixi.jp/connect_authorize.pl?oauth_callback=http%3A%2F%2Fmypage.com%2Fcallback.php&oauth_token=fjdklsfjlksd
Note the oauth_callback, it is the redirect URL. I don't know what mixi.jp use to redirect.
Make sure your site's domain is 100% identical before and after the redirection.
Note that
www.yoursite.com
and
yoursite.com
are two different sites cookie-wise.
The session id is stored in a cookie. The cookie is send in every page of the domain you registered in. Whe you jump to another domain, your cookie with the session id is not send. You must pass the session id to your new domain and then create a new cookie in this domain with the session id.
header('Location:redirect.php?session=' . sessionĀ_id());
And then in the redirected page restore the session
<?php
session_id($_GET['session']);
session_start();
I've a Code Igniter project using database backed sessions. The web application is password protected, meaning that I have an abstract controller checking if the user is logged in before I allow him to see any pages, apart from the login form.
While I had no problems implementing this, I'm having some difficulty understanding how to make the application redirect the user to the page he wanted to see if he need to login first.
How it goes: the user is logged out and types in a URL. The application detects he's not logged in so send him to the login page and creates a row in the ci_session table. At the same time I store the url the user entered in the session object using either flashdata or userdata. My problem is that once the user logs in, the application will create a new row in the database, meaning a new session, completely ignoring the values I stored previously.
Shouldn't it be one row per session?
The CI URL Helper has a redirect function that you can use. http://codeigniter.com/user_guide/helpers/url_helper.html
Does a "header redirect" to the local URI specified. Just like other functions in this helper, this one is designed to redirect to a local URL within your site. You will not specify the full site URL, but rather simply the URI segments to the controller you want to direct to. The function will build the URL based on your config file values.
The optional second parameter allows you to choose between the "location" method (default) or the "refresh" method. Location is faster, but on Windows servers it can sometimes be a problem. The optional third parameter allows you to send a specific HTTP Response Code - this could be used for example to create 301 redirects for search engine purposes. The default Response Code is 302. The third parameter is only available with 'location' redirects, and not 'refresh'. Examples:
if ($logged_in == FALSE)
{
redirect('/login/form/', 'refresh');
}
// with 301 redirect
redirect('/article/13', 'location', 301);
I think you're misunderstanding how sessions works between a browser and your web application. When a user opens your login page, they are assigned a unique session ID which codeigniter keeps track of. Unless your session gets expired, either forcefully by logging out or due to your own session expire settings, codeigniter should only be writing 1 row per unique session in your database. Make sure you have your sess_expiration variable in config.php set to something realistic.
I don't see how removing the underscore from your cookie name could have fixed this, as the name has nothing to do with how sessions work in general.
You can user something like this.
When the user tries to access a page like
http://test.com/userpage.php
If he is not logged in, redirect him to
http://test.com/login.php?redirectpage=userpage.php
(This redirect will be done by userpage.php after checking the login status from the cookie or the session.)
The login page has the value "redirectpage" and once the user logs in at the login page, redirect him to the page he was previously trying to visit.
You will have to check the user login status in all the pages that you need the user to be logged in.
Solved it.
My problem was not how to redirect or how to store data. My problem was the application creating two sessions per request.
I changed the name of my cookie to something that didn't include underscores and voila, fixed. One session per request and everything works as it should.
I need to use the same session in different subdomains.
First I put
php_value session.cookie_domain ".aaaa.com"
on .htaccess file and upload it to root path.
when I need to use sessions. I just call
session_start();
Sometimes it works but sometimes it doesn't.
I tested this and found that.
If I go to login page the first time, then login and go to subdomain page. It works!
If I go to subdomain page and click to login page and go back to subdomain page by javascript window.location = 'http://sub.aaaa.com'; it does not work!!
If I login on 2 web browser with the same account it does not work!!
Are there another way? Or how do I fix this problem. I want my website to use a single login.
Make sure you have session_start() on every page you are using sessions, including some that might not be visible to the user.
If you are using two web browsers the sessions are independent from each other, and this is by design.
To debug your #2 problem, use an HTTP monitor such as HTTPFox to view the headers coming to/from the server as you log in and surf around, make sure the cookie is being properly set with the correct domain and path restrictions.
Probm #3 - I'm not sure what you're getting at. Are you using two seperate browsers (say Firefox and Chrome?), or do you mean you're using two windows/tabs of the same browser? For the first, two different browsers will not share cookies, so you can't share a single session between them, without doing some hacks to manually transfer cookies between them.
As for two different tabs/windows of the same browser, such an implementation depends on your login logic. If the login script starts a new session unconditionally, then you second login attempt will get a completely seperate session from the first login, and most likely overwrite the first login's cookie as well.
I have a small problem.
How do I set a cookie for multiple domains?
I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.
ie.
account.domain.com will need to set domain logged in for:
domain.com,
domain1.com,
domain2.com.
Is there any easy way, using PHP and cookies, or any alternatives?
There is absolutely no way for domain.com to set a cookie for domain1.com. What you are attempting to do can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.
Then you need a way for each domain to verify the user's identity. There are two approaches to this:
Back channel - the sites contact each other directly to determine if a user is logged in.
Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.
It's really quite complicated. I suggest you don't roll your own. Take a look at SimpleSAMLPHP for a PHP implementation of what I'm describing.
What you're attempting can't be done. (It's a browser security issue, not a PHP one.)
Other than using some form of off-site authentication, the nearest you can achieve is making a cookie accessible across sub-domains, in which case you just use the optional 'domain' arg of PHP's set_cookie function.
This can be done via one domain acting like a master and others like a slave.
Say we've got a domain accounts.domain.com and it's our master.
Then we've got our slaves domain.com, something.com and another.com
When you'll log on on domain.com, it'll be actually site accounts.domain.com, then you'll get a cookie with unique ID for your browser and then you'll be redirected to domain.com's post-logon landing page (ie. domain.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>). the landing page will contact the accounts.domain.com, querying it with the browser ID. If the transaction's okay, then you'll get logon cookie from domain.com.
Next, on every domain (domain.com, something.com and another.com) will be initial redirect to accounts.domain.com/roaming-check?return-url=<URL the redirect was initiated from>. Because we're returning home (we're logged already on accounts.domain.com), we'll be redirected again on our landing page (<domain name>.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>) and from this point it's the same as the part with logging on. We're seamlessly roamed to another domain (without user knowing it as browsers doesn't usually show the redirected page until it passed the headers send(server)/receive(browser) section).
In case there's in fact no active logon, the site will save this "negative logon" to session and not try to check logon anymore (until we try to logon or load another domain).
I think this solution will suit your needs: "Simple Single Sign-On for PHP"