I'v got this setup currently running, where a website is running at site.domain.tld with the backend beeing at admin.site.domain.tld
A somewhat SSOish system is to be installed at sso.admin.site.domain.tld. In fact, when visiting this site, the user is authenticated, a corresponding cookie is beeing set and the user is moved back to admin.site.domain.tld.
When I am setting a cookie like this
setcookie('bid', $bid, 0, '/', 'admin.site.domain.tld');
I'll get a cookie cookie that is issued for .admin.site.domain.tld (note the dot).
The login like this works fine, but if the user is going for whatever reason first to admin.site.domain.tld and then decides to log in using sso[...], we have a problem: The adminpage sets itself a cookie - but this time it is issued for admin.site.domain.tld - without the dot at the beginning.
So basically after using the sso-login this time, the user ends up with having two different cookies, one for admin.site.domain.tld, one for .admin.site.domain.tld
Because the admin-page prefers the cookies set directly for the page itself, the dot-cookie gets ignored and the login fails.
So basically the best way would be to read, modify or just delete the already existing cookiebut this seems to be impossible from the sso-subdomain.
"Because of reasons", we are not able to place our stuff from the sso-subdomain directly on the admin-subdomain.
Anyone here with an idea, what I could do the somehow get rid of those "bad" admin.-cookies?
Would it just be possible to use a different cookie name? You have one subdomain that reads and writes "cookie1" and then another subdomain that reads and writes "cookie2". Does that solve your problem?
Related
I'm not great at PHP, and everything I currently know, I have just taught myself by browsing the internet.
I am currently trying to work with cookies in my page, in order to set up a persistent log in for a day.
Basically I have gotten as far as managing to set a cookie, with a value of the session username. This value is set when the user logs on.
So the user enters credentials, php checks against mysql database, if it is successful then the username is set as session variable, and this is then set as a cookie.
This works, as if I run this php and immediately echo the cookie, the username is displayed.
This is all done on my login form which is brought up in a tinybox (similar to a lightbox and other such pop up windows). The cookie and echo seems to work correctly from here.
However, when the login is successful, it refreshes the parent page, (root page of my site) and all seems well. However, if I then try to echo the cookie from the index page, I can not access it.
I know cookies have limitations on them for security, but seeing as how my login page, and my home page are on the same domain, then I thought this would have worked.
Is this something I am likely doing wrong, or is it a cookie limitation. Would it work if I set the cookie from the index page itself, rather than from within a tinybox?
If anyone wants examples of the code I am using, it can be provided.
Many thanks
Eds
Which navigator you use? Chrome can't work by default with local cookies. You can enable with command line --enable-file-cookies
http://code.google.com/p/chromium/issues/detail?id=3014
Was helped out by DaveRandom on this one.
Turns out I had to add "/" as the root path for the cookie, so that it was available to parent pages.
I have secured pages that all check for a set session variable to determine logged in users, pretty standard stuff. Where I run into problems is when I submit form information to a backend page that will process that data and then redirect to a success/failure confirmation page. In that time the session gets lost, at least the session with the variable. The session is still around because I can manually navigate to a secured page after and it works. Just auto redirects from a backend page to a secured page or a link on one of the unsecured pages after a redirect from the backend will fail. It may or may not be related, but after visiting multiple secured pages or doing one of the operations that use the problematic backend pages, there are two session cookies on my computer from the domain-- one registered to domain.com and the other to www.domain.com. At the end of my wits about this, thanks.
I see two problems here, but they're related.
The first is that you seem to be bouncing between secured (https://) and un-secured (http://) pages. Cookies aren't supposed to be shared between those, so that's why your session appears to break (PHP sets a cookie with the session ID).
The other is closely related and that is sharing between domain.com and www.domain.com. Cookies can share in one direction, but not the other. Don't worry about which: just pick one hostname and stick with it. Then check that you're setting the session's cookie domain to the correct one.
You must call session_start() from your PHP page before you output anything, preferably at the start of the page.
If the session has been already created, it will resume it for that page.
http://php.net/manual/en/function.session-start.php
I need to use the same session in different subdomains.
First I put
php_value session.cookie_domain ".aaaa.com"
on .htaccess file and upload it to root path.
when I need to use sessions. I just call
session_start();
Sometimes it works but sometimes it doesn't.
I tested this and found that.
If I go to login page the first time, then login and go to subdomain page. It works!
If I go to subdomain page and click to login page and go back to subdomain page by javascript window.location = 'http://sub.aaaa.com'; it does not work!!
If I login on 2 web browser with the same account it does not work!!
Are there another way? Or how do I fix this problem. I want my website to use a single login.
Make sure you have session_start() on every page you are using sessions, including some that might not be visible to the user.
If you are using two web browsers the sessions are independent from each other, and this is by design.
To debug your #2 problem, use an HTTP monitor such as HTTPFox to view the headers coming to/from the server as you log in and surf around, make sure the cookie is being properly set with the correct domain and path restrictions.
Probm #3 - I'm not sure what you're getting at. Are you using two seperate browsers (say Firefox and Chrome?), or do you mean you're using two windows/tabs of the same browser? For the first, two different browsers will not share cookies, so you can't share a single session between them, without doing some hacks to manually transfer cookies between them.
As for two different tabs/windows of the same browser, such an implementation depends on your login logic. If the login script starts a new session unconditionally, then you second login attempt will get a completely seperate session from the first login, and most likely overwrite the first login's cookie as well.
I have a site which I have been testing in a sub-folder of my client's site-root.
I had no log in problems during testing, but then I moved the new site files from a sub-directory to the main site root, and now I'm losing my logged in state after almost every page refresh in secure areas.
I am running a $_session based login system that refreshes the session id on every page load, with a comparison value stored in the MySQL database.
Does anyone have suggestions for what could be causing this problem?
krico was right in suggesting that the cookie path may be the cause (but the solution proposed seems a bit daft) however you've said that is not the case.
Check to see exactly what cookies (name, path, expiry, flags) are being set and returned by using iehttpheaders (MSIE) LiveHeaders (Firefox) or using a network sniffer like wireshark. Then ask the question again providing details of what you found out.
C.
Cookies are usually path relevant. Your previous sub-directory based site was probably setting the cookie (that binds the browser to the user) only for that sub-directory.
A way to fix it is to put a redirection page on the old subdir that adds a cookie to '/' and then redirects to new site on root.
If you change session id you will loose all data stored in previous session. You must set session name after every session start command
<?php
session_name('AnySessName');
?>
or use other mechanism to store your variables cross sessions.
i am using php 5.2.8
i have index.html, which loads LOAD.PHP from IFRAME.
iframe src="load.php".....
i printed out load.php's session id.
then i ran another test.php, and printed out it's session id.
php session id's were different.
therefore, i cannot pass any session variables....
what is happening here ? this problem did not happen before, suddenly today it started happening.... however this problem still exists....its driving me nuts !
session.saved_path is same for both.... /var/php5, cookie path is same...
If PHP is creating a second session ID on the second load of the page, then it means that the first one was not passed back properly. Likely, the cookie is not being set for some reason. Things to check:
Test in multiple browsers?
Did you disable cookies in your browser somehow?
Is the iframe on a different domain or subdomain that might prevent cookie passing?
Install LiveHTTPHeaders or some other firefox add-in to check the cookies you are receiving
http://www.example.com will have a different sessionID than http://example.com
(not really an answer as your questions doesn't seem to me to have enough data to provice a certain answer, but rather a few things to check about)
The files are in the same domain and directory and the cookie are not limited to a different directory (i.e. path=/)? (note: they're not limited unless you tell that explicitly with session_set_cookie_params)
Is the browser sending the cookie (or are you maybe in "incognito mode")? If cookies don't work PHP will probably try to pass Session IDs in the QueryString and fail, if you go to test.php writing its name manually and not following a link (usually I use session.use_only_cookies=1 to avoid that).
They will have different SID if they have different cookie domain or cookies are not working at all and PHP is configured to use only cookies for session ID (session.use_only_cookies=1).
Cookies domain is explained here
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
So set a common domain for your hosts and they will share cookies, thus PHP SID :)