I have a homebrew CMS installed on two different web servers. Each maintain the same code. I have had a really annoying problem when I try passing $_SESSION variables between different domains.
My CMS is on domain1.com. The website it is controlling is on domain2.com. My system passes all the session variables for the login information from domain1.com to domain2.com via a url link (domain1.com has a link like this: http://domain2.com?sessionId=1gh...)(sessionId is generated by session_id()). domain2.com retrieves the session id and does session_id($_GET['sessionId']) to set the session and grab the variables. It then proceeds to show a bar at the top with admin features.
This system works well on one of my hosts, as well as my localhost. But I recently transferred to a different host and installed my CMS with the same code with success. Everything works except for this feature. When I click on the link and try to set the session_id, the session_id changes, but the $_SESSION variables are removed. When I return to my CMS, I have to relogin. Somehow on this host, changing the session_id deletes the $_SESSION variables.
I have never liked session variables and I would not use them if I were to start again (I would probably use plain cookies). But I really need to figure this out. The host that it works on is Bluehost, with both domains hosted by Bluehost. The host that it does not work on is [EDIT]ByteHost, and the domain registrar is Godaddy.
Here is some example code from domain2.com:
...
if ( $_GET['sessionId'] )
{
session_id($_GET['sessionId']);
}
session_start();
echo session_id(); // returns the proper sessionId passed through the url
print_r($_SESSION); // does not work. returns array()
...
I can guarantee that the $_SESSION variables existed before, because I was still logged into my CMS.
Any ideas why session variables work on 1 host, but not on another?
I tried replacing the php.ini file with the working host one. Problem was still there.
Thank you for your time!
UPDATE
I ended up removing this from my CMS. Now, I just pass the login details over the url and it logs the person in. It works a lot cleaner.
Here are some reasons why this may not be working:
different physical server
different account for each domain (even if it's the same physical server)
different apache/php daemon for the domains (some shared hosting sites will create a separate directory for each domain, and then restrict apache from sharing information between domains. This will also have the effect of preventing session information from being passed. Think about it - do you want someone else's domain on the same hosting provider to have access to YOUR client's session info?)
configuration (apache or php), or .htaccess rules
Here is what I will recommend: stop doing this. This is a great opportunity to fix a very serious security flaw in your code. By the time you diagnose it with the hosting provider, you could probably just rewrite everything you need using HTML5 storage or secure cookies.
My guess is that the hosting provider is smart enough to protect session information form being stolen from another domain. But in either case, I strongly recommend you change the code so that it does not need to steal session information from another domain.
To have a session on multiple domains you would need to have the session id passed in the url instead of the sessions cookie as cookies only work on a single domain basis.
Using subdomains would solve the problem if they're not separate customers a.domain.com and b.domain.com
Related
Here's the thing:
I have Website A in Server 1, a CakePHP 2 based website without any kind of login system.
I also have Website B in Server 2, another CakePHP website which has its login system (uses CakePHP's Auth for more details if it matters), with a login form in first page where users can enter login/password to access it.
So now what I need to do is to add a login form in website A that logs users into website B (as if they had used the form in website B).
Is that possible? If so, what approach should I take to do that securely? (By that I mean without plainly exposing the users credentials).
I assume you're doing this so that you can go between multiple sites, but only login once? I've come up with a way to do this, provided that the sites share domains, but are hosted on different subdomains by getting them to share session. The reason this only works on websites that share domains is because two completely unrelated websites cannot share cookies, which is necessary to get them to share session.
Note that since your goal is to make the two servers completely share their sessions, you will encounter some problems, like for example, flashmessages for one site will appear on both. I ended up extending the Session component so that it would automatically append to all session variables with a prefix to specify which server the session variable belongs to.
Here's an outline of the steps:
The login server will need to be able to host shared sessions, probably via memcache's session save handler, which you will need to install on both your servers. See more here: http://www.dotdeb.org/2008/08/25/storing-your-php-sessions-using-memcached/
The login server's site will need all the regular stuff for a login system, but you also need to set the server up so that it will use the shared memcache session instead of the normal way of saving session. Example once you have memcache installed, add to its php.ini file:
session.save_handler = memcache
session.save_path = "tcp://[login server ip]:11211"
The other server's site will also need to use the shared memcache session stored on the login server, so config its php.ini the same way you did for your login server. Then, set up the Auth component on this site so that it will require logins, but for actually logging in, redirect them back to your login server.
On both servers, in bootstrap.php, add the line ini_set('session.cookie_domain', '.' . ROOT_DOMAIN); Where root domain is the root domain both of them have. So if you were using test.com and subdomain.test.com, ROOT_DOMAIN would be "test". This way, the websites will also share their session cookies.
Make absolutely sure both servers are set to the same time. If their times don't match, you'll likely randomly lose your session because one of the servers will think the session is much older than the other server, and so it will delete it because it thinks the session is too old.
I run a website which has many different subdomains. We are introducing a new download server which is using a subdomain of the main domain. The way we normally check user information is with cross subdomain cookies etc but I know this wont work because they of the different server and I wondered what would be the best way of checking if the user is logged in etc on the main server.
What I am wanting to do is the following
Sub1.domain.tld = main server
When you want to download a file, it will point you to the appropriate server where the files are stored
Sub2.domain.tld = download server
Is there any way to keep or check if the user was logged in please.
The way we normally do it with cookies accross subdomains is
setcookie('LoginVariable1', $LoginVariable1, $expiretime, '/', '.domain.tld');
setcookie('LoginVariable2', $LoginVariable2, $expiretime, '/', '.domain.tld');
Cross domain cookies will exactly work in your case. The only case they would not work would be if you have "www.somedomain.example" and "download.someotherdomain.example", because you cannot define a cookie to be cross-domain for the top-level domain "example".
So this boils down to have a cookie that tells all servers something like the session id of the user, or an authentication token he got during login, and then all servers must ask some central authentication service whether this session or token is currently logged in.
If the subdomains map to different servers, you have two ways as I see it.
1) You can share the directory that php writes sessions to on server A and point server B there.
2) You can use database sessions and have both servers connect to a single database to verify/retrieve the session.
In both cases, you end up with a single, central place to store sessions.
we are running an online portal which is available via different domains (e.g. example.de, example.at, example.ch) as well as variations of it (e.g. exam-ple.de) and payment for all countries is done via secure.example.com, so it is not possible to access cookies on secure.example.com which were set on example.de.
First question (not directly refering to cookies):
Is it possible to forward a user from exam-ple.de to example.de without loosing the referer information? Maybe with .htaccess?
Second question:
Is it "dirty" to store all cookie names in a configuration file and then pass all cookies via GET everytime the user gets forwarded to another domain name and reset the cookies? I can only think of this one solution to make cookies available on different domains... Or does anyone has a better solution for the problem?
Best regards,
Freddy
To answer your first question, assuming that you are using apache2 as the web server (you told about .htaccess) , I would suggest using mod_rewrite for redirecting the urls to a different domain. When using mod_rewrite you are enabled to set cookies
Also you can create a php script that forwards to your domains and sets the cookies. It might be called like www.yourdomain.com/forward.php?target=at&....
I am working on a project using zend framework, php, mysql on ubuntu.
I have created hostname test.dev on my local machine and using zend authentication. When an user is authenticated using zend authentication, I set session variable for logged in user id. I use this session variable(userid) on different pages to sure authentication.
Question:
Now I have to create a subdomain. I have created a new hostname mypage.test.dev on my local machine. Both hostnames are pointing to same directory, for example /var/www/test/public. But when I login on test.dev, I have to login again on subdomain mypage.test.dev. Even session variables of test.dev are not accessable on mypage.test.dev.
How can I login on all subdomains using one login?
Thanks.
Session variables are stored specific to each specific domain address. And so if a website is coded poorly and you login to http://mydomain.com and then later access the site as http://www.mydomain.com, you will encounter the same error.
One possible solution to this is to setup a webservice that allows you to access the other domain and retrieve any stored session variables as well as authenticate the user. So for example, if I login to test.dev and then later go to mypage.test.dev, a call will be issued to test.dev/auth-service/ by mypage.test.dev to authenticate the user and if it is successful, then return all stored session variables so that they can be stored by mypage.test.dev.
Perhaps a cleaner approach would be to always access session data only from one domain or the other and to always access it strictly through the web service so that the interface to session data remains consistent across both sites. This does present a possible performance though since it is obviously faster to simply access session directly rather than through a web service.
You are looking for this:
http://blog.pracucci.com/2008/09/24/zend-framework-and-session-cookies-across-subdomains/
After some time I have got my solution.
I added following line into config.ini
session.cookie_domain = .test.dev
then added the following line into Bootstrap.php
Zend_Session::setOptions( $this->getOption('session') );
and session variables are working for all subdomains of test.dev
I'm having some sessions problems after my ISP moved my site to a new server, supposedly setup the same. The problem appears to be browser-specific as well, which I don't quite understand.
First, my site uses sessions to login, this has been broken since they moved the site.
My ISP has set up a test page. When I hit this page in IE 6 (where it sets some session vars) and then hit the "header redirect" button, sessions seem to work fine. If I try it in Firefox/Opera, I get a new session id on the redirected page. My ISP reports sessions are working for IE as well, though I imagine they're using IE7 or perhaps even 8.
Everything was working fine on my site before my ISP moved it and while they've been very helpful in responding, they're at a loss as to why it's broken. A couple of other of my sites with them were broken along with the move, but they have been resolved by server tweaks...Does anyone have any ideas what's going on?
You're redirecting from "launchcomplex.com" to "www.launchcomplex.com"
If you set session.cookie_domain it should work - see session_set_cookie_params()
Cookie domain, for example 'www.php.net'. To make cookies visible on all subdomains then the domain must be prefixed with a dot like '.php.net'.
When they moved servers, did they move to a clustered configuration? Meaning when I hit your web page, am I always requesting content from the same physical server, or could be be any of a cluster of servers?
If the latter, that is your problem. Sessions are by default file-based, and thus are not scalable to multiple servers.
One solution is to use session_set_save_handler() to write your own session manager. Usually you would use a database to read/write session data using this method.