I am trying to create subdomains for users as each has their own "website". (user.domain.com) This is all "virtual" as all the files, controllers, folders, etc are the same. Everything is dynamically created. I think I've got all the DNS, mod_rewrite, htaccess, etc stuff down, but I've got another problem.
The problem is when a guest (non-user) visits a user's website (user.domain.com). An example to illustrate this:
Guest types url with subdomain (btw, I'm using php) and controller dynamically loads up the user website based on the subdomain.
Guest clicks on a link on the page and gets a new page from server. Problem is that the new page doesn't have the subdomain anymore as all the links are the same. Only the content is different and dynamically loaded.
So the question is, How do I keep track of which subdomain the guest is on? Since the client is a guest and not a logged in user, I can't look at the logged in user's information.
I am just interested in ideas of what the best implementation would be. Should I keep some variable in the session and keep checking that on each page? Should I pass a POST/GET variable with each link and then have the controller read that?
$_SERVER['SERVER_NAME']
This will give you the domain, just keep it in the session.
Related
I have the following 4 sub-domains for my project:
www.mysite.com - public site, published pages etc.
my.mysite.com - normal users log in to this domain to create pages and other stuff
company.mysite.com - Company hasMany Employees that log in to this sub-domain to manage their pages and other stuff
admin.mysite.com - Admins of the site log in here to manage everything
--
Typically, I want to keep all 4 sub-domains separate. So a user logged in to my. should not be able to view company. unless they login their as well. I have managed to do this by creating the following middlewares:
auth:my
auth:company
auth:admin
Using the above I have different login views/routes etc. for the different types of users working correctly.
--
I needed a way to share sessions across the subdomains because when a user creates a Page on the my., they can publish it and it shows on the public www. (www.mysite.com/my-page)
What I needed is that when the User who owns the Page and is logged in to my., visits their own page on the www. sub-domain, an Edit button to show.
I managed to do this by sharing sessions across my subdomains by making the following change:
config/session.php
domain => env('SESSION_DOMAIN', '.mysite.com')
--
However, this messes up the logins for company. and admin., because when a User logs in to my., the session is shared across the sub-domains.
How do I share the sessions across the sub-domains but group them so something like:
domain => [
['www.mysite.com', 'my.mysite.com'],
['www.mysite.com', 'company.mysite.com'],
['www.mysite.com', 'admin.mysite.com'],
]
The sessions are shared because it's essentially the same application and you're presumably using driver = file or database.
To fix this, you can have multiple session tables per sub-domain.
Change your config/session.php file and make sure you're using database driver.
Create multiple copies of the sessions table, calling them company_sessions, admin_sessions etc.
Update your code (i.e. config/session.php file) so that the sessions table is based on the subdomain. E.g. create an if-else statement looking for the $_SERVER['HTTP_HOST'] and check it's a particular subdomain.
if ( $_SERVER['HTTP_HOST'] == 'admin.mysite.com' ) {
$config['table'] = 'admin_sessions';
}
The layout of your config/session.php may need to be changed to accomodate overriding the table and returning the correct value.
See if it works!
There are other ways you can achieve this, but this may be the simplest.
It may not work as you're trying to share sessions and don't want all sessions to be shared at the same time. You my have to compromise on the functionality and just stick with shared sessions.
I have a website and a CMS panel located in sub-directory in the website. In the CMS panel I have session variables in which I write the username, level access etc.
The problem is that in the website I need to have user registration and login. When I try to log in the website, the two sessions are ovewritting each other and the end result is that the website session doesn't change(the user can't log in) and the CMS session receives the variables from the website session.
I searched the problem and saw someone suggesting that the two session should be named and therefore separated. I have session name on the website's session, but when I tried to name the second one I got server error.
The other thing that I saw was that the website's session is new with every page refresh, and this doesn't happen in the other one.
I don't have session_destroy or session_unset(regarding the session refresh problem).
What can be the problem and how to fix it?
EDIT
Maybe "ovewritting" is not the correct word. When I try to log in from the website nothing happens. When I try to log in the CMS I have the CMS session array AND the website's session array. I want them to be separated.
I have a few domains all on the same server, with the same IP and the same databases - that can be accessed by all 5 of the domains.
I have recently remade my login system, so that on my main domain, the cookie works for not only the main domain but the sub domains as well. What this means is that if a user logs into one area, they are signed in everywhere. Which is great! I write a cookie with their hash (taken from the DB) and check for that when loading each page, and they are automatically securely signed in.
This is lovely, but the problem then comes when switching domains, as cookies seem to be locked down to domains. So my other domain (lets call it domain2.com) cannot read the cookie from domain1.com.
Are there any clever ways around this? I could write something to the database, such as IP, but that wouldnt be very secure as the company i work for everyone is on the same IP and therefore it wouldnt be specific.
Or I thought about maybe including a hidden iframe on the page, which actually links to a page on the main server, and pulls the information that way somehow.
I am not sure, but I am sure it can be done. Any ideas?
Browsers, for good reasons, do not allow cookies to be read from any other domain.
What you can do is have domain2.com redirect to a page on domain1.com which checks if the user is logged in and if they are it redirects back to domain2.com with the user's id which can then log them in.
You should not depending on original PHP session functions Collections.
Here is what I have done :
After login success , Server side should return a "session ID" to the browser and store by JavaScript or some how, mean while the "session ID" should be store in database as a successful signal and you do a login time next to the session ID if you needed.
Now you can share the session ID in any IP server you want and make your client connect to(some trick like you redirect to the new domain and post the SID) then establish a PHP session.
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.
Hi i have two wordpress sites, that are almost identical but have different domains.
What i need to make is when you login on one site of wordpress that it would login with same username and password on other site.
I know this could have some security issues, but this does not matter i just need to make this task.
I know the principals, how it should work, one page in login request other to login user with same username or other way around when you go into one site it checks if user is logged in in other one.
But how to do so in code ? php, wordpress, cookies ?
Ideas ? Functions ? How to send request by php ?
Thank you
Edit : Users are synchronized on both sites, user should not be able to see anything about second login. How to send such url request via php ? User logins in in one site by entering username and password it is automatically logged to other, if he come to second site he is already logged in.
RIP Steve Jobs !
Either you add the login and password to the URL to the other site or out could use an iframe or popup to open the other site for login, having the other site setting its cookie.
It all depends on how the user is intended to switch between sites.
Should there be links or might they open the sites independently?
Added solution.
One site could possibly redirect the user after login to the other site with a link that does the login, then the other site immediately redirects back to the original site.
This way you will not have problem with blocking 3:d party cookies.
But you will need to make a special login page for the redirects.
It's a lot easier to put one site in charge of logins in a master-slave relationship. Otherwise you get into a mess with conflicting lists and no audit trail.
Have you considered one of the plugins that work with the various auth servers like Google etc.? Then the sites may not need to talk to each other.
There's this from the wordstack site: https://wordpress.stackexchange.com/questions/3924/synchronize-wordpress-user-accounts-across-multiple-domains-and-installations-wit
EDIT:
There's this to get started.
http://willnorris.com/2009/03/authentication-in-wordpress-28
Maybe you could write a quick json server on each, accessible by the other. I've done
similar in a dozen lines of code or so (but not with wordpress). Let me know if you want more info.