Same URL without www different session - php

I have the following issue (that i know many of you probably have or had) but still i haven't found an explanation anywhere that satisfies me, or at least a proper solution.
In the session script of any of the sites that i make, if the user goes through the domain using www.domain.com and logs in, but then in a different tab he goes to the same page without the www. (domain.com) The session hasn't been started in that one.
i have found this two questions on stackoverflow but none of them offers a real solution or at least an explanation of why this behavior.
different session with url's with-www and without-www
PHP session login different for url with www and without www?
Ok to go the point, This redirections and rules doesn't work in my case.
Why? because i'm working with a payment provider that uses cURL to retrieve some data i send to them, and when they send the response back to me, they use a default URL wich i have to give to them. currently they set up the address as www. but what if one of my users goes to an especific page of the site using the domain without the www.? When i get the response from the provider it goes to www.site.com and the user there is not logged. and no actions can be applied.
Any help in this please?
Thanks
Cheers.

As said there http://www.php.net/manual/en/function.setcookie.php
Cookies available to a lower domain, such as 'example.com' will be
available to higher subdomains, such as 'www.example.com'
So just do
session_set_cookie_params(0, '/', 'yourdomain.com');
without www

Related

PHP cake subdomains session link problem?

i have problem with php cake session and subdomains. I have setted all successfully right. When i try to go from
subdomain1.domain.com
to
subdomain2.domain.com
all works nicely when i put these browser url... problem comes when i try to make this with <a href=""> tag, on redirected subdomain i will recieve new session id.
I cant explain to my self how can be this possible, pure php script works fine but in php cake is this bug! thanks for any suggestion...
ok, i debug whole php cake session component and lib, i figure out 2 sollutions
easier - set in core.php security level to low
Configure::write('Security.level', 'low');
advanced - make new config file for sessions, like Ivo said, its in tutorial http://book.cakephp.org/view/1310/Sessions ,most important thing is set
ini_restore('session.referer_check');
because by default php cake check referrer, and if it goes not form same domain it will cause generating new SESSIONID
I don't think it's related with cake.
By default, PHP will give you a session for the domain.
subdomain1.domain.com is a domain,
subdomain2.domain.com is another domain
domain.com is another different domain
www.domain.com is another different domain
All thoses examples are 4 distincts domains, with their own session.
If you want to share the session between many (sub)domain, you can try to set the session.cookie_domain variable, like this;
ini_set("session.cookie_domain","domain.com") ;
Try using this instead:
http://book.cakephp.org/view/1310/Sessions
Follow the directions to create custom configuration for cake's session saving.

Detect Domain Change?

Is it possible to detect source of web forwarding?
For example,
Domain A redirects to Domain B where Domain B has PHP hosting?
Basically I would like something like the following:
if ($was_redirected_from_domain_a) { ... }
As #MoarCodePlz and #Christopher Armstrong point out, $_SERVER["HTTP_REFERER"] is the solution.
However, in your specific case, two redirects take place:
http://fhc.quickmediasolutions.com/image/-1457172086.png
This way, the original referrer info is lost. You will need to disable the second redirect, and run your PHP in my-art-gallery.co.uk's index page.
Update after seeing the phpinfo() output:
$_SERVER["HTTP_REFER"] is indeed completely non-existent.
I suspect the culprit is this configuration setting:
suhosin.server.strip = On
your hosting company is running the Suhosin PHP patch, which allows removing certain data from the PHP page for enhanced security. You may need to ask them to activate HTTP_REFERER.
The only other way would be redirecting domain A to something like
domainb.co.uk/index.php?camefrom=domainA
You could then fetch the domainA argument through $_GET["camefrom"] - if the hosting provider's control panel allows that sort of redirection.
What you need to look at is known as the url referrer of the page. The url referrer is the url from which the current user made it to the site. Be careful, though, as the url referrer will be nonexistent if the user opened up a tab and simply typed in the url.
The url referrer should be able to be found using the following:
$myVar = $_SERVER['HTTP_REFERER'];
As Pekka said, it depends on how the user was forwarded. Try checking the $_SERVER['http_referrer'] value:
if ($_SERVER['HTTP_REFERER'] == 'mydomain.com/mypage'){
echo 'Came from mydomain';
}
$_SERVER["HTTP_REFERER"] is not a reliable solution. There are different cases where it does not work.
HTTP_REFERER does not contain the URL of the page that redirected, but the URL of the page where the user clicked.
E.g. On the page example.com is a link to t.co/somelink, which redirects to yoursite.com.
$_SERVER["HTTP_REFER"] will contain http://example.com, and there is no way to know that your visitor was redirected on your site from a twitter short URL.
The only way to know that the user came from your twitter link, is to include a $_GET parameter, like already proposed: Let the link t.co/somelink redirect to yoursite.com/?camefrom=twitter.

how to track from where visitor come to my site php

I want to track the site URL from where user reached my site.
From where he came i.el, Google, GMail, Facebook, etc.
I tried $_SERVER['HTTP_REFERER'] but it does not contain anything when user click on my site link from any external site but resides the value when I visit among my site pages and this is also not trusted.
So, What I can do from here?
Is there any other way to track the external URL through PHP?
Any idea?
EDIT: Now HTTP_REFERER is able to get the url from most of sites but not able to get the url if user came through Gmail and AOL. What could be the causes?
HTTP_REFERER is the only way to get any information about previous site.
And that is also up to the broser if it supplies that information, most do as default.
Its a header that is set by the browser in the request to your server, if it is not present, then you will never know where the user came from.
If the browser is sending and you still to not get anything on the server check if you have any code that interferes with the $_SERVER variable.
Try this URL, its a google search result that goes to a page that just dumps the HTTP_REFERER.
As the pages indicates, if the box lists (none), then your browser is not sending HTTP_REFERER but if you get a result then the problem is in sour server.
http://www.google.com/url?sa=t&source=web&cd=1&sqi=2&ved=0CBIQFjAA&url=http%3A%2F%2Fkarmak.org%2F2004%2Freftest%2Ftest&rct=j&q=http_referer%20test&ei=cNQ2TdGYGsmUOp_ExPoD&usg=AFQjCNFVSmYmQBUcL2l3_ZpmZzVWZztjWg&cad=rja
You can compare it to when you load the page withour google to redirect you:
http://karmak.org/2004/reftest/test
Here is their own start page with link:
http://karmak.org/2004/reftest/
Have you tried it in a variety of browsers? It's down to the browser (As far as I'm aware) to set HTTP_REFERER and sometimes privacy settings can prevent this.
Visitors coming from google can be tracked using google analytics, it gives you the search query terms used before.
This solution also track a lot of other things from your visitors. I undertand it's not PHP based, but it's the only other kind of solution I know if HTTP_REFERRER is not enough to you, and as you quoted google...

Loggin a user across different domains

two years ago I had to design a system to share authentication data across multiple domains, all of them shared the same server/db. I was able to pull this off with a complex system of cookie sharing which, to date still works.
I'm now in the process of redesigning the system and I was wondering if there are better ways to achieve this without having to write cross domain cookies.
Basically the system MUST do this.
Once logged in one site the user must be logged in all of the other site seamlessly, not only following a link, but even by directly writing the domain name on the address bar.
To my knowledge the only way to achieve this are cross-domain cookies, if there are alternatives please tell me.
Thank you very much
My Idea would be to include a login-Javascript from a third domain which gets includet in all sites. This javascript sets and reads the session-cookie and calls the current domains server via ajax with the result. (No validation should be done in the JS - this simply sets and reads the cookie)
If cross domain AJAX does not work, you can still call the thirds domain server which acts like a proxy and calls the current domains server.
The StackOverflow sites have implemented something similar to this. Check out the details at the following links.
Here is a post giving an outline of how they did it.
And here is even more detail.
For this you do have to use cookies, but you can vary what you store in the cookie. The cookie doesn't have to contain user credentials but can instead contain something more like a token that you use to "centralize" your sessions.
Easies way would be to let all hosts share a single memcached server and use the content of the users cookie as your key.

Cross domain cookie tracking

The company I work for has four domains and I'm trying to set up the cookies, so one cookie can be generated and tracked across all the domains. From reading various posts on here I thought it was possible.
I've set up a sub domain on one site, to serve a cookie and 1*1 pixel image to all four sites.
But I can't get this working on the other sites.
If anyone can clarify that:
Its possible?
If I'm missing something obvious or a link to a good example?
I'm trying to do this server side with PHP.
Thanks
Are you having issues due to Internet Explorer and their Privacy stuff?
Session variables are lost if you use FRAMESET in Internet Explorer 6
Back in my former internet days, when IE6 first came out, we had to implement this because it broke some of our tracking. Its amazing that all you have to do is fake it, and everything works fine.
Your on the right track, we had a domain that hosted the tracking cgi that served the 1x1 transparent pixel and tracked what page a user was visiting. We then had a custom parser that would combine that data with Apache logs and dynamically created a graph of users traffic patterns through our website. This was using dot from the Graphviz package.
This kind of thing is pretty easy if you are just trying to do stats, but if you're actually trying to persist user data across domains you'll have to do something more complicated.
The best way to set a cross-domain cookie is to make sure all your sites are subdomains of one master domain, say initech.com. So one of your site, site1.initech.com, sets the cookie with a domain of ".initech.com" and it works fine.
It could be a problem if your sites are on totally different domains though.
Rather than try to set one cookie that each site can access, what you'll have to do is make sure that each site has its own exact duplicate of the original cookie. So, have your site, site1.com, set the cookie for itself and output three 1x1 gifs, or AJAX calls or whatever, to site2.com, site3.com and site4.com setting the same cookie to the same value.
This will be difficult to do securely and reliably ;)
To make sure somebody can't set arbitrary cookies on your domain, you'll habe to pass through a hash of the cookie value on the image tag. If the cookie to be set is "mycookieval", also pass through md5("mycookieval"."somesecretstring".$_SERVER['REMOTE_ADDR']). This is potentially bad because it might allow an attacker to set the same cookie to the same IP address, or possibly to brute-force the hash generation.
You could compensate for this by inserting a record into a backend database whenever you set the cookie, and having the other three sites check against it for validity.
This question's pretty cold, but in case anyone else stumbling on it, or the OP still has need, I've created an NPM module, which allows you to share locally-stored data across domains. It looks like this would exactly address the OP's need here, and it doesn't require all sites share a base domain.
https://www.npmjs.com/package/cookie-toss
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
Hope this helps!

Categories