PHP session across multiple domains - php

I have a webservice (abc.com) for my company with an own user database and it is working just fine. Now my company wants to add some additional services which are located on a completly different server with another domain (xyz.com) but still use the same login data from abc.com because we have complete control over it and there are going to be similar servers like xyz.com so it is out of question to just import the user database on xyz.com.
My first thought was to use my checkuser.php from abc.com while submitting the login form from xyz.com but then I learned that the session cookie stuff is bound to the domain. At least that is how I understood it.
After that I wanted to access my checkuser.php via AJAX and HTTPS and submit the session data encrypted via POST to xyz.com. That failed too as AJAX seems not to work across multiple servers for security reasons.
Now I am out of ideas and dont know how I can securly authenticate out users on the foreign servers using our user database.

I would use single sign on (SSO) in stead of a shared session. That way, you don't make the sites code dependent on each other. If you later decide to change something on one of the sites, there is less reason to worry about breaking functionality on the other sites, and if you choose to link in a new site you are able to reuse the same solution.
What's better is that someone already made it for you, and it may even be more secure that what you'll be able to create yourself.
Wikipedia has some good general knowledge on SSO. Also, look into OAuth and OpenID. Combine these terms with PHP and a search should get you on the right track.

Another option is to simply have the login function on xyz.com connect directly to the database of abc.com to check the login name and password. Then you use xyz.com's database for everything else. Also if you really wanted to you could store the session information in your database on abc.com instead of a temporary file then you can also access that data from xyz.com. Here is an example of how to do this.

I haven't been working with php very long and have not encountered this problem myself, however, I've been hitting the books hard and came across an answer that my help you out.
If you are just trying to access the scripts and DB on server xyz.com, you can literally grab the content of a script using its url or IP address from within a script located on a separate server (abc.com) using the following function:
/* This example allows my example script on server mvc.com
to access the script on oreilly.com */
file_get_contents("http://oreilly.com");
Since you are accessing the code remotely, and I'm taking a shot in the dark here, I think that file_get_contents ( ) would allow you to set variables via $_POST or $_GET methods from the script on server xyz.com and send the values to the script on server abc.com. From there, you could then store these variables inside $_SESSION variables located on a single server, which ever server that handles the original $_SESSION variables and most of the processing.
It could become a quite complex 'game of catch' between the servers if you need to go back and forth frequently, but I think it may be a way around your problem if you can't move the data onto a single server. If you plan the structure of your scripts well this would allow you to store those $_SESSION variables all in a single place.

Related

Does PHP session_set_cookie_params() create a manipulable cookie on the users machine?

I'm creating a dashboard where I have the front end on one subdomain and the api which is in php on another subdomain. I was looking for how to preserve $_SESSION between the two and found this. So what I'm inquiring about is since cookies are stored on the users machine and I'm sending the user id to the api, would they be able to manipulate this value and browse the app as a different user assuming I use session_set_cookie_params(). So I would be using $_SESSION in the api but this native function makes me think they'd be able to change the value.
I don't believe this method I've alluded to is of any danger (knock on wood) but I'm just going to go for the /api/ subfolder structure anyways at this point as having a separate endpoint seems to make things too spread out.

Can i pass a session data from a aspx page to a php page?

I need to add in a survey form to an old asp.net application. I tried using creating another asp.net application but the server doesn't allow.
the survey form will get the user's particulars from a database, after everything is filled up and validation is done, a submit will create an excel spreadsheet, send a email to the user and update the database.
However the web server is not running the page of the new application, error says that a virtual directory is not created for the application and i do not have the access to the IIS manager, i only have the ftp access.
I am thinking of using php to do the job instead. My plan is to pass the session("userid") of the apsx page and call a response.redirect(survey.php). From there the php must know which user had done the survey, so i need to pass a session variable from aspx to php so that i only who is doing the survey.
Is this method possible? If so, how can i pass that session variable?
This seems like a hacky solution. If you are modifying the ASPX to do the response.Redirect, surely you and put your logic there instead of creating a PHP solution alongside?
If you really want to do this (which I don't recommend), just pass it in the QueryString.
response.redirect("survey.php?userid=" + Session["UserId"]).
You could store the session information in the database, to be shared, which would avoid showing the values in the querystring (unless you encrypted it). ASP.Net has a SQLServer mode for session which you might be able to use by querying the DB from PHP. Otherwise just a custom table with the usual expiry date, user id etc. could work.

How to keep PHP session intact when another server is making the request?

I have a secure site with private information that uses https. We have a partnership with another site that provides functionality for our users. We want the header and footer to be the same, but the body functionality to come from their site. I thought I'd create a template file that they can request from our server, which would allow me to keep creative control for whenever our site has changes.
However, the header has account information, so it needs to access the session information for the current user. So number one, is this possible? If a user clicks from my site to theirs and they request the template from our servers, how can it be sure to connect to the correct session? And number two, is this safe? How can I be sure this connection is secure?
Edit: It appears this option is not worth pursuing. I'm going to work on some other ways for the other server to access the information. Thanks.
What you are trying to do in that way is a completely mess.
You should avoid outtputting a page built from different website putted all togheter.
That would become:
Hard to maintain;
Prone to security hole.
If you want the file on your site to be a template, it should be only that. Have the other site add the information to the header after fetching it.
I think for what you are doing, the only option you have to is to redirect any request through your server acting as a proxy to maintain session vars without causing to many security holes.

Loggin a user across different domains

two years ago I had to design a system to share authentication data across multiple domains, all of them shared the same server/db. I was able to pull this off with a complex system of cookie sharing which, to date still works.
I'm now in the process of redesigning the system and I was wondering if there are better ways to achieve this without having to write cross domain cookies.
Basically the system MUST do this.
Once logged in one site the user must be logged in all of the other site seamlessly, not only following a link, but even by directly writing the domain name on the address bar.
To my knowledge the only way to achieve this are cross-domain cookies, if there are alternatives please tell me.
Thank you very much
My Idea would be to include a login-Javascript from a third domain which gets includet in all sites. This javascript sets and reads the session-cookie and calls the current domains server via ajax with the result. (No validation should be done in the JS - this simply sets and reads the cookie)
If cross domain AJAX does not work, you can still call the thirds domain server which acts like a proxy and calls the current domains server.
The StackOverflow sites have implemented something similar to this. Check out the details at the following links.
Here is a post giving an outline of how they did it.
And here is even more detail.
For this you do have to use cookies, but you can vary what you store in the cookie. The cookie doesn't have to contain user credentials but can instead contain something more like a token that you use to "centralize" your sessions.
Easies way would be to let all hosts share a single memcached server and use the content of the users cookie as your key.

How do I save specific responses from webservers in my local computer

I have been asked to write to save the data in some secure place after certain task is completed by a client.
Here my client has alot of staffs who makes data entry in online forms provided by some different vendors. After some steps the entered data generates some results. i.e after submitting the web form. Now he wants the generated results to be saved either in local computer or in some online server.
Can it be done by:
1.) Creating a local web server which sits in between the users and the online main third party server and record all the generated results?
2.) Creating a browser extension [m thinking about firefox] and forcing users to navigate via the specific browser and record all the generated results?
**I am pretty sure that second method can work as firebug is doing that only need to add some functionality to save the data.
any idea will be appreciated.
Sorry for mis-leading guys. To make more clear here are some more explanation.
a.) I am writing application to one of my client who has many staffs who enters data in abc.com website.
b.) User submits the data to abc.com.
c.) the website abc.com produces or generates some result as per input data and sends back to user.
d.) Now I need a system which will be inbetween the staffs/user and abc.com website and track the responses of abc.com and save it to some location automatically.
e.) Currently the data entry user will manually save the result to his local computer and if he/she forgets to save then we miss the result so want to do it automatically so that we wont be missing any single result.
A local webserver wouldn't really help so much because of crossdomain issues, unless you wanna go with something as JSONP. In that case, you might wanna use a signed java applet, which (assuming the user accepts the certificate) has any access an installed Java app would have, so it could potentially bind a port and server as HTTP server (I'm not sure how well this works on linux or unix).
Another idea would be to use Flash's local shared objects. Depends on how much data you want to save. You may need to make the Flash visible, so the user can see the dialog for allowing the data to be saved. You can communicate from JavaScript to Flash using ExternalInterface.
Yet the most simple thing is to give the user a permanent cookie, and save the data associated with that cookie on a web server.
greetz
back2dos
Take a look at HTML5 local storage if you don't need a lot of data to be stored or you can use local databases, see http://blog.darkcrimson.com/2010/05/local-databases/ .
You can also sync it with a server once the client is online again..

Categories