I have a web application where I intend to give each client their own subdomain, like client1.myapp.com, client2.myapp.com, etc. When a user logs in, I store their user ID in the session variable, like $_SESSION['user'] = 4; When $_SESSION['user'] is set, the user is logged in and can access the application. Since user IDs are only unique within each individual client, I need a way to keep users from accessing other clients' subdomains. I considered using the session cookie for that, but then I figured cookies can be hacked. Now I'm thinking of assigning each client a unique client ID and using $_SESSION[$clientID]['user'] instead of $_SESSION['user']. Is that a safe way of solving the problem? What other options do I have?
There's nothing wrong with your $clientID approach.
If you want to get fancy, you could do something like use session_set_cookie_params so the same PHPSESSID cookie could be accessible to all domains and subdomains. This has its benefits especially if your centralized log-in page needs to detect if the user is logged-in for a particular domain or subdomain. Or if you wish to allow a user to log out from all subdomains at the same time, or if you'd like to create an administrative account which can access all subdomains.
Never trust the session id being sent, even if the cookie is tied to a specific subdomain, since the sessions for all subdomains are being stored in the same directory on the server.
A solution for this might be: ini_set(session.save_path, "/path/to/your/folder/$clientid") then you'd have a unique directory dedicated for each client for storing sessions. The benefit of this approach is that your $_SESSION won't contain information related to another subdomain.
You can also take advantage of sesssion_name so instead of PHPSESSID you could use client1 or client2 to it's clear which client the session belongs to.
e.g. client2=8d72edf35377a27388cb;client8=b47277bc8e3d4a5f
then PHP can read this cookie and know the client the session exists for.
You can also use a combination of all of the above, whatever works for you.
See the session-related functions here: http://php.net/manual/en/book.session.php
And the session-related settings here: http://php.net/manual/en/session.configuration.php
Try something like this. I hope this will help.
When a user logs in, store their subdomain in the session variable like:
$_SESSION['user_subdomain'] = 'client1.myapp.com';
And when $_SESSION['user'] and $_SESSION['user_subdomain'] is set, the user is logged in and accessing the application then just check the current accessing application's subdomain is equal to $_SESSION['user_subdomain'] or not.
By using this way you can redirect a client on its correct application's subdomain, if he tried to access other clients' subdomains. In this way you can keep users from accessing other clients' subdomains.
Related
I have a few domains all on the same server, with the same IP and the same databases - that can be accessed by all 5 of the domains.
I have recently remade my login system, so that on my main domain, the cookie works for not only the main domain but the sub domains as well. What this means is that if a user logs into one area, they are signed in everywhere. Which is great! I write a cookie with their hash (taken from the DB) and check for that when loading each page, and they are automatically securely signed in.
This is lovely, but the problem then comes when switching domains, as cookies seem to be locked down to domains. So my other domain (lets call it domain2.com) cannot read the cookie from domain1.com.
Are there any clever ways around this? I could write something to the database, such as IP, but that wouldnt be very secure as the company i work for everyone is on the same IP and therefore it wouldnt be specific.
Or I thought about maybe including a hidden iframe on the page, which actually links to a page on the main server, and pulls the information that way somehow.
I am not sure, but I am sure it can be done. Any ideas?
Browsers, for good reasons, do not allow cookies to be read from any other domain.
What you can do is have domain2.com redirect to a page on domain1.com which checks if the user is logged in and if they are it redirects back to domain2.com with the user's id which can then log them in.
You should not depending on original PHP session functions Collections.
Here is what I have done :
After login success , Server side should return a "session ID" to the browser and store by JavaScript or some how, mean while the "session ID" should be store in database as a successful signal and you do a login time next to the session ID if you needed.
Now you can share the session ID in any IP server you want and make your client connect to(some trick like you redirect to the new domain and post the SID) then establish a PHP session.
Lets say we have a user, he logs in and browses the site like usual. Then we have lets say... the brother of this user and he wan'ts to login to the same account from a different ip or a different browser. Is it possible to check if redis has a current active session and deny access for this very reason to prevent multilogin for the same user?
First, what does your question have to do with both php and node.js tags? In which one did you tried to implement your case?
Secondly, whatever the environment might be, what is stored into Redis depends on what you decide to store besides the session data. Usually session data stores a random sessionid and a userid associated to it. Nevertheless, in some cases you can chose to associate a session to a user than has not yet authenticated, therefore storing a session without any user associated to it.
Preventing concurrent user access from different IPs has more to do with the authentication mechanism, rather than session logic.
One approach for preventing concurrent logins from different IP address is to save a map of active users like <userid, ip>. Then after you check the credentials, you also check that map to see if the user is active from a different IP address. In that case you can deny the authentication.
This solution also implies some clean-up mechanism for users that do not safely logout, which is very similar to the session clean-up (time_to_live). To take advance of the existing implementation, you can add an IP address field to the session storage along with the userid at authentication using the same logic for authentication as previously described. The session will now look like <sessionid, userid, ip>. It's just a way to piggyback on the session storage and take advantage of it's clean-up process.
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I have a web application that's deployed at http://myserver/app1, I've also got another instance of the application that's accessed at http://myserver/app2.
Basically, when I log into app1, I am also logged into app2as. Obviously each instance of the application is identical.
What would be the best way of restricting each instance of the application to be unique and completely independent, so authorization and authentication was applied on each instance individually?
You could change the name that the cookie uses for the second app. If it's using $_SESSION just use session_name(). You're going to need to run that before anything else.
You could use a different session name, but it would be more appropriate to change the domain or path on the session cookie using session_set_cookie_params()
I have done a redirection from www.abc.com to www.def.com using .htaccess.
The redirection is successfull but I have a problem whereby the cookies and session can only be accessed when I access the website using def.com.
The session will be missing when it is checked from abc.com.
How to copy or read the session at def.com?
Please Help me.
well you can't do it simply. Maybe see this post ?
Your cookie containing your session id (and therefore, your entire session) is only valid on the domain where it is created. So when you change domains, the cookie is no longer available. To work around this, you could send the session ID to the new domain (which is not very safe, but you might not care), and then creating a new cookie and session for that domain.
This is called "cross site scripting" (XSS) and a lot of people work very hard to make sure that what you want isn't possible. If you do find a way to do it, be sure to let us know, because that would be a MAJOR security breach.
You can only share the same session on both domains when you have access to the session data storage from both servers. Depending on the session data storage type and location, you might need to write your own session storage handler.
Besides that, you also need to make sure that the same session ID is used on both domains. If you want to use cookies for the session ID, you can only do it when your domains share a common super-domain, so they are sub-domains of the a domain like foo.example.com and bar.example.com share the super-domain example.com. In that case you need to adjust the session cookie parameter domain and set it to value .example.com for the super-domain example.com.
Otherwise, like in your example where the domains do only share com as a top level super domain, you can’t use cookies (in the first place). But you can use the URL to transfer the session ID from one domain to the other domain. To do that you need to enable session.use_trans_sid and disable session.use_only_cookies (both at least on the redirection target domain) and append the session ID to every URL pointing from one domain to the other (here you can use the SID constant).