I'm currently facing a following problem:
A main domain is running a particular PHP framework with framework specific sessions; now there is a new subdomain, which runs a different PHP framework, and I need to share the login session information from the main domain with the subdomain. I.e. users only register on the main domain, but once logged in, they will also be logged into their account on the subdomain. And it should also be noted that the subdomain cannot have access to the main domain db.
With these restrictions, I came up with the following solution: first I set the domain cookie to .mydomain.com, so I can access the session cookie on the subdomain. Next I implement a simple API call on the main domain, which returns loggedin status as well as other session information. The API url will have IP whitelist limited to the subdomain server, and once loggedin user comes from the main domain to the subdomain, the API url is requested with the users cookie serverside (cURL presumably). Once and if the user is authenticated this way on the subdomain, he is assigned a token for the particular session, and from there on I can manage that as a regular and separate session on the subdomain.
Now my question is whether you can see any flaw security-wise in this setup? Or suggest any improvements or a more preferable way to do this...
Thanks
For me, i think i will use single sign-on concept. Once user logs-in through any of domain or sub-domain, generate access-Token for that user, sign-in.
After that use that same access Token to check and authenticate user for different domain names, instead using separate sessions. This might lead to session hijacking and difficult to manage multiple sessions. Once session is created, allocate access-token, with access rules. This will make seamless process for sign-in and easy to manage as well.
For more information look to search Single Sign on or OAuth 2.0 protocol.
Related
I have one WordPress site and an app in codeignitor, App uses its own database to store user and plan details.
Now I want to simplify it like My user can log in to my WordPress website and after successful login I want the login information to forward to the app so that the user can go to the app.
Directory structure:
For Worpress => root->wordpress
For App => root->app
On the same domain hosting.
I want the user's to use WordPress login to access App and manage their profile.
No idea how to proceed. Any suggestions
The most logical way to do this may be to use the cURL. Still, it is impossible to do so because such solutions cannot launch cookies or sessions in your browser and eject your client (essentially a security mechanism). You can try to resolve this by redirecting a user, or the most logical way is to use wordpress api support or capture the data using XML-RPC.
As an update. If both sides are on the same domain, you can try to eject the cookie or the session to the side you want to log in to. If it is under different domains, unfortunately, this suggestion will not work.
I have a marketing application that is on the main domain (www.example.com ), and an admin application that is on the subdomain(accounts.example.com ). A user would visit www.example.com , register/login and gets redirected to accounts.example.com. My problem is that my session cookie from www.example.com is being overwritten when a user is redirected to accounts.example.com.
Both applications are using the same session cookie, but the accounts application always overwrites it. My data that was set for the session is no longer available after being redirected to the subdomain (unavailable in both domains). Anyone have an idea how I can approach this problem? Thank you!
Web servers usually do not permit session data to be shared across domains, or even sub domains. For that purpose, you must store the session data in a place where it can be reached across domains... e.g. a database.
How should I login a user to ONLY to their own subdomain from a main domain? (btw, I'm using Yii. Raw PHP ideas would be welcome too, but I'd like Yii compatible ideas)
I've looked at other questions such as this one but they seem to log the user into ALL subdomains. (basically they seem to be basic sso authentication, which is NOT exactly what I want)
Each user in my app has their own subdomain. They visit the main domain website (so no subdomain yet) and then login. In the login process I need to log the user into their subdomain and then redirect them to their subdomain. In other words, I need to transfer their login session from the main domain to their subdomain, but I can't seem to get this working.
I also tried using the CHttpSession class that Yii provides to set session vars and stuff, but that hasn't been working either.
I'd appreciate any help.
There are 2 domains on one server. If user is logged on one domain he has to be logged on the another domain too.
How to make cross-domain authorization in php on one server?
I solved it for sub-domains, but can't solve for different second-level domains.
The main problem is that the cookie isn't send by the browser if you're on another domain.
You can't make the browser to write a cookie for another domain, too.
What can be done is send a unique token to the other domain, and when validated, write a cookie on the second domain. That can be done when authenticated, using an iframe or a double-redirect (iframe cookies are blocked by some browsers, like safari). The unique token will have to be validated by the second domain, and then invalidated (removed) so it can't be used again by another user (man in the middle attack).
You must research for CAS and implement it depending on what framework you are using. For example, in my Zend application I would use Zend_OpenId and Zend_Oauth .
I am working on a project using zend framework, php, mysql on ubuntu.
I have created hostname test.dev on my local machine and using zend authentication. When an user is authenticated using zend authentication, I set session variable for logged in user id. I use this session variable(userid) on different pages to sure authentication.
Question:
Now I have to create a subdomain. I have created a new hostname mypage.test.dev on my local machine. Both hostnames are pointing to same directory, for example /var/www/test/public. But when I login on test.dev, I have to login again on subdomain mypage.test.dev. Even session variables of test.dev are not accessable on mypage.test.dev.
How can I login on all subdomains using one login?
Thanks.
Session variables are stored specific to each specific domain address. And so if a website is coded poorly and you login to http://mydomain.com and then later access the site as http://www.mydomain.com, you will encounter the same error.
One possible solution to this is to setup a webservice that allows you to access the other domain and retrieve any stored session variables as well as authenticate the user. So for example, if I login to test.dev and then later go to mypage.test.dev, a call will be issued to test.dev/auth-service/ by mypage.test.dev to authenticate the user and if it is successful, then return all stored session variables so that they can be stored by mypage.test.dev.
Perhaps a cleaner approach would be to always access session data only from one domain or the other and to always access it strictly through the web service so that the interface to session data remains consistent across both sites. This does present a possible performance though since it is obviously faster to simply access session directly rather than through a web service.
You are looking for this:
http://blog.pracucci.com/2008/09/24/zend-framework-and-session-cookies-across-subdomains/
After some time I have got my solution.
I added following line into config.ini
session.cookie_domain = .test.dev
then added the following line into Bootstrap.php
Zend_Session::setOptions( $this->getOption('session') );
and session variables are working for all subdomains of test.dev