transfering session using session_id across domains - php

I am attempting to transfer a session to another domain by using session_id function.
User logs in # domainA.com and gets redirected to domainB.com where I want to transfer the session.
if(isset($_REQUEST["redirect"]) && $_REQUEST["redirect"] != ''){
$url = urldecode($_REQUEST["redirect"]);
if(strpos($url, "xxxxx.") === false){ //Means we are redirecting to a custom domain
$urlParts = parse_url($url);
$url = $urlParts["scheme"] . "://" . $urlParts["host"] . "/login/index/sid:" . session_id() . "?redirect=" . $url;
}
$this->redirect($url);
}
SiteB.com will receive the session id and set it like so:
if(isset($this->params["named"]["sid"]) && $this->params["named"]["sid"]){
session_id($this->params["named"]["sid"]);
$this->redirect($this->params["url"]["redirect"]);
}
I am sure that the session is arriving at siteB.com but $_SESSION remains empty.
What am I missing?
Thanks


You should call session_id($sess_id) before session_start();

Related

Redirecting a page Based on URL Value

I am trying to redirecting my register page to https:// based on parse url value.Below is my code
$url = $current_url="//".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$parts = parse_url($url);
parse_str($parts['query'], $query);
if ($query['view']=='register') {
$porthttp = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
header("Location: " . $porthttp);
exit();
}
But it is giving error 'server is redirecting the request for this address in a way that will never complete.'
what's wrong i am doing?

You are redirecting on same page which you accessing so it will not work.
I.e http://localhost/demo/test.php?view=register and you are checking condition like if ($query['view']=='register') {} then you are redirecting on same page using $_SERVER['REQUEST_URI'] so it will go to infinite loop.

PHP redirect with final URL as a parameter

I'm trying to send traffic to my site, then have it redirect to a domain that is specified in the campaign's URL. What I've tried so far is this php on a directory "redirect" within my site:
I would like to send the traffic to this URL, where the redirect takes it to the sample domain:
http://www.example.com/redirect?link="http://www.sampledomain.com"
<?php
// accepts a url as a query argument, checks to be sure request came from
site
//
if (!isset($_SERVER['HTTP_REFERER']) ) die('not authorized');
$host = $_SERVER['HTTP_HOST'];
$referer = explode('/', $_SERVER['HTTP_REFERER']);
if ($referer[2] != $host) die('not authorized (2)');
$transfer = filter_input( INPUT_GET, 'link', FILTER_SANITIZE_URL );
header('location: ' . $transfer);
exit();
?>
With this method I keep getting a 403 error. Please help with any suggestions.
Thanks!

How to make sure a parameter "lang" always is present in url without adding it to all links?

I have a simple multi language website. The langauge of the displayed page is controlled by the use of a session variable, but I want users to be able to copy the url and send it to other people and end up on the same language page -- that is I want the "lang" url parameter to be present in the url always.
I could of course edit all links on the page and add it to them, but isn't there an easier way to do this? Is there an alternative solution?

Maybe you can try this:
<?php
//get full url
$url = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
//check if get lang exists.
if(isset($_GET['lang'])){
if($_GET['lang'] == "en"){
//then do nothing.
} else{
//get all parameters.
$query_arr = $_GET;
//chang lang parameter.
$query_arr["lang"] = "en";
$query = http_build_query($query_arr);
$uri_parts = explode('?', $_SERVER['REQUEST_URI'], 2);
//make first part of url.
$first_url = 'http://' . $_SERVER['HTTP_HOST'] . $uri_parts[0];
//redirect to correct url.
header("location: " . $first_url . "?" . $query);
}
}else{
//redirect to correct url.
header("location: " . $url . "&lang=en");
}
?>
Hope this is wat you meant.

You can use something like:
<?php
session_start();
if(isset($_SESSION['lang'])){
$sessionLang = $_SESSION['lang'];
$protocol = (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] !== 'off' || $_SERVER['SERVER_PORT'] == 443) ? "https://" : "http://";
$rUri = "$protocol$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
if(!(isset($_GET['lang']))){
if (strpos($rUri, '?')) { // returns false if '?' isn't there
$newUrl = "$rUri&$sessionLang";
header("Location: $newUrl");
} else {
$newUrl = "$rUri?$sessionLang";
header("Location: $newUrl");
}
}
}
We make sure $_SESSION['lang'] isset.
Get the current url protocol and uri
Check if $_GET['lang'] isn't already set
Check if the url already contains parameters (strpos($_SERVER[REQUEST_URI], '?')), is so,
append &lang=, otherwise append ?lang= to it.

PHP Redirect to Selected Page After Login

I'm trying to find a way to redirect a user to the page they selected if they have been forced to log in again after a session timeout.
Right now, after the user logs in, they are redirected to index.php. But, if a user received a link in an email to a different section of my site and they have not logged in all day, they are obviously asked to log in but end up on the index.php instead of the page the link was for.
Here is a snippet of my code in the login page:
if (mysql_num_rows($result_set) == 1) {
// username/password authenticated
// and only 1 match
$found_user = mysql_fetch_array($result_set);
$_SESSION['user_id'] = $found_user['id'];
$_SESSION['username'] = $found_user['username'];
$_SESSION['last_activity'] = time();
$_SESSION['time_out'] = 7200; // 2 hours
redirect_to("index.php");
Any ideas would be helpful.
I want to thank everyone who answered my question. The solution was a combination of a few suggestions I received here. I'd like to share with you how I solved this:
Part of the reason why I was having trouble saving the url the user tried to go to before being forced to log in again was that my sessions are handled by an external php file which takes care of confirming login and expiring current session. This file is required by all pages on my website. HTTP_REFERER would not work because it would always be set to the login.php. Here's what I did on my session.php file:
session_start();
$protocol = strpos(strtolower($_SERVER['SERVER_PROTOCOL']),'https')
=== FALSE ? 'http' : 'https';
$host = $_SERVER['HTTP_HOST'];
$script = $_SERVER['SCRIPT_NAME'];
$params = $_SERVER['QUERY_STRING'];
$currentUrl = $protocol . '://' . $host . $script . '?' . $params;
if ($currentUrl != "http://domain.com/login.php?") {
$expiryTime = time()+(60*5); // 5 mins
setcookie('referer',$currentUrl,$expiryTime,'/');
}
Essentially, I saved the referring url in a cookie that is set to expire in 5 minutes, giving the user enough time to login. Then, on login.php I did this:
if(isset($_COOKIE['referer'])) {
redirect_to($_COOKIE['referer']);
} else {
redirect_to('index.php');
}
And, BINGO! Works every time.

Try this:
$actual_link = "http://" . $_SERVER["HTTP_HOST"] . $_SERVER["REQUEST_URI"];
if($actual_link == 'the email link'){
header('Location: '. $actual_link);
}else{
header('Location: index.php');
}

Try to save the URL in session whenever a user hit any url like http://www.abc.com/profile.php
once the user has successfully logged in redirect the user to saved URL(which is in session)

it the previous page is in the same directory and then you can try header('Location : .') or else if you if you need to redirect somewhere else.save the path before that situation occurs and in $url then u can redirect using header('Location: $url') or header('Location $url?values')

PHP authentication with multiple domains and subdomains

I have one main domain: main.com, subdomains: test1.main.com, test2.main.com and other domains one.com, two.com.
Now it's done like these:
ini_set("session.cookie_domain", ".main.com");
$domain = 'main.com';
login.php
$user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?",
array($email, $password), "rowassoc");
if($user)
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
$time = 100000;
setcookie('email', $email, time() + $time, "/", "." . $domain);
setcookie('password', $password, time() + $time, "/", "." . $domain);
header('Location: http://' . $user['login'] . "." . $domain);
exit;
}
added on each page:
if(!isset($_SESSION['user_id']))
{
if(isset($_COOKIE['email']) && isset($_COOKIE['password']))
{
$email = $_COOKIE['email'];
$password = $_COOKIE['password'];
$user = $db->query("SELECT id, login FROM users WHERE email=? AND password=?",
array($email, $password), "rowassoc");
if($user)
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
}
}
}
else
{
$user = $db->query("SELECT id, login FROM users WHERE id=?",
array($_SESSION['user_id']), "rowassoc");
if(!$user)
{
setcookie('email', '', time() , "/", "." . $domain);
setcookie('password', '', time() , "/", "." . $domain);
unset($_SESSION['user_id']);
session_destroy();
setcookie("PHPSESSID","",time(), "/", "." . $domain);
}
else
{
$_SESSION['user_id'] = $user['id'];
$_SESSION['user_name'] = $user['login'];
}
}
logout.php
if(isset($_SESSION['user_id']))
{
setcookie('email', '', time() , "/", "." . $domain);
setcookie('password', '', time() , "/", "." . $domain);
unset($_SESSION['user_id']);
unset($_SESSION['user_name']);
session_destroy();
setcookie("PHPSESSID","",time(), "/", "." . $domain);
header('Location: /main');
exit;
}
But it works only on domain main.com and its subdomains test1.main.com, test2.main.com.
I need to somehow save the session and on other domains one.com, two.com.
How best to do safe authentication, if there are solutions, i really confused, please tell with example.

As far as I know, crossing sessions between sub-domains is fine, but it won't carry over to a whole new domain. To do that you need some sort of centralized data method, or an API.
Database method: you will have to create a remote MySQL data access so that domain2.com can access the database on domain1.com. When a log-in is performed, not only should it create a new session, but a unique log-in token (with an expiry time) should be put into the mysql database. Now, for every link that goes from domain1.com to domain2.com, you should add a $_GET variable that contains a randomly generated session id (md5 hash will do). domain2.com, upon receiving the visitor, will take the $_GET variable, run it through the MySQL database to find the login token, and if there is a match, consider that user to be logged on (and perhaps embed a $_COOKIE as well to store the login data). This will make the log-in transferrable between two completely different domains.
API method: you need to create an API method, so that domain1.com can respond to an external request from authorized domains to retrieve the login token upon a user being forwarded. This method will also require that all links going from domain1.com to domain2.com to be appended with a $_GET variable to pass the unique session hash. Then upon receiving the visitor, domain2.com will do a curl() request to domain1.com/userapi.php (or whatever you call the file) and the variables should be tested against what's in the database.
This is the best I can explain it.. to write this out in code is a significant piece of work so I cannot commit. But judging by your code, you have a very good understanding of PHP so I'm confident you will pull this off!
Good luck mate.

To keep your sessions going across multiple domains, you need to use session_set_cookie_params(). With that, you can specify your domain. For example...
session_set_cookie_params(10000, "/", ".main.com");
That will set the session timeout at 10,000 seconds for all documents under the site root, and for all subdomains of main.com.
You should call session_set_cookie_params() before you do session_start().

But if user reach domains one.com directly, than one.com can't know if user had login by the right answer mentioned above, seems like must use some extra js, it's jsonP! we let account.main.com/userLoginStat.php?callback=loginThisDomain to check if user had login main.com, if so, the js callback function loginThisDomain do some thing to autologin user to one.com.

Categories