I am creating a setup, where I have multiple drupal websites running. I am working on a single sign on, but I want to check if the calls to my websites are made from the same person. Is there like a browser cookie or something with which I can identify a user ?
It's like a session identifier but across multiple websites.
Does anyone know what I can use for this ?
Thanks in advance
If you are tying to do single sign on with Drupal I recommend looking at the bakery module. You may find that what you are looking for has already been implemented.
You could use the Login Cookie module to set your own cookie
I fixed it, by doing a redirect to one single website, which gives me an encrypted version of your session ID and then redirects you back to the website where you came from, where that key is stored in the local session of the SESSION
Have you tried to use PHPs standard session functions?
Related
Currently I am doing a project which runs both on Zend Framework (For Web site) and phone gap (For Mobile). I need to use the same code for website and web service for mobile.
Now I am facing the below mentioned issue,
The web service which I am calling from phone gap is to create the session and the session was created successfully. Now i am calling the another web service to get the user details based on session id. But the details are not displaying, because the session id is giving empty. So can you please suggest how can i proceed with this?
Thanks in advance
Session is not shareable. Try saving session id to database (or file) and than read it from server side.
Can you please give more information about how sessions are managed?
From the look of it, you might need to to use both $_SESSION and potentially an implementation of the SessionClassHandler interface to store sessions in a central database.
Also you might have issues with cookies, so you might need to pass the session id via URL. But this is very insecure so if this is the case, make sure that you at least use https or put oher mecanisms in place.
I hope this helps
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I am working on a site that has a login API. So when people login on my site, they will automatically be logged in to other sites.
Is their way by which a session can be setup so that other websites can use it? If not, is their any other solution?
One way - you can store your session values in database, and can use in other sites. :)
Example:-
let suppose if my site is deployed on multiple servers and end user might be redirected to different servers accordingly to traffic, then it would be good to save the session values in db.
Yes. It's possible using in example Redis for the session storage. You should look for configuring php sessions to use custom storage. Here is php man for this http://php.net/session.customhandler
What you want to do is probably using a cookie that is spread over your whole domain. This cookie can then be linked to a session. I'm currently working on something like this on Symfony2.
As example:
login.mydomain.com
application.mydomain.com
etc.mydomain.com
login.* will obviously contain my login logic + forms etc. This will also contain an API which the other applications can verify the cookie to. My Application will first check if the user is logged in. If not, it will check if it has the required cookie. If it does not, it will redirect to the login.* login page.
If it does have the cookie, it will validate this in my login.* API. Expired > redirect to the login page, if not it will return the required info of that user and "login" to my application.
The only problem I have at the moment is storing the session. I use mcrypt to encrypt the contents and store it in mysql (cookie_id, cookie_contents). I have but 1 problem, it doesn't automatically purge the expired sessions, I still have to find a solution for this.
What you are basically looking for is Single Sign-On (just a guess, but I think accurate).
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.
I have a django blog project and a chat in PHP.
I need to share the id of the user logged in django ( request.user.id ) with the chat in PHP.
Is this possible ?
I don't think using sessions in this way is a good idea, since they're designed to keep data temporarily for a certain user in an application. It might be a better idea to store the id in a cookie and read that in the chat, or pass a variable in the link.
You could use HTTP authentication for this. As long as both applications are on the same domain and the realm name (sent in the WWW-Authenticate header) is the same for both, once a use logs into one or the other application, the REMOTE_USER variable will be available to both and will contain the username of the person logged in.
See http://groups.google.com/group/django-users/msg/a492cb9394b0db4d for one answer