I have a question. Let's say I am on website domain1.com and I click on a link on domain1.com that brings me to domain2.com. But I want to use the same session_id() that was set with session_start() in domain1.com on domain2.com. How do I accomplish this in PHP?
Thank you.
As the session_id() itself doen't contain any data, there are a couple of things to consider:
If the session is set in a cookie, you can't transfer it (unless to a subdomain), make sure you transfer it via GET
In order to have the data associated with the SESSION sync accross the servers, you have to share the file system (e.g. via GlusterFS), at least for the path the SESSIONS are saved (e.g. /tmp/php)
if you save objects in the SESSION make sure they are available on both servers
If both domains are pointing to the same document root on the same server you only need to take care about the first point
If you only want to use the session_id() and not the associated data, you can just set the id: session_id('yourSessionIdFromDomain1')
Maybe you can use a MySql Database which you can access from both Sites...
Like:
Table _sessions -> Fields('access_token','session_vars')
in session_vars you can save $_SESSION each time a site loads.
access_token should be a unique string who is generated when the user comes to the Website first.
This is very dangerous!! 11 :-)
Related
This might be a silly question but I am learning web development and reached at cookies now. I read about cookies and got the basic understanding of cookies and how to create them and retrieve them. what I do not understand is:
Do we need to create a cookie for each webpage for example in my website i have 5 pages so should i place the cookie only in index page and set the path "/" and it will work for all the pages.
To store the information retrieved via cookie for further analysis should I create a database to store each cookie data.
Do we need to create a cookie for each webpage for example in my
website i have 5 pages so should i place the cookie only in index page
and set the path "/" and it will work for all the pages.
No need to create multiple cookies. You can access same cookie across your webpages, if setting it at root.
To store the information retrieved via cookie for further analysis
should I create a database to store each cookie data.
Why ? It will be stored in user's machine. And why do you want to store it in database. All the user's information will be available in your same database.
The path variable on a cookie simply marks access.
You're assumption about only setting the / is correct if you want that cookie visible throughout all your pages.
If you want to restrict access to that cookie say to an admin page then setting the path to /admin would be fine here.
Building a web application that is 90% API-based, meaning it will be hosted on the client's website (eg clientdomain.com). When API calls are made, we are creating and storing a session ID on the client's domain, and we store all the stats on their activity while a visitor browses their site.
But there's one part of our application that is hosted on our servers, because it has to be secure (eg client.ourdomain.com). Visitors will click a link from the client's website to ours.
What's the best way to somehow tell the application on our domain that this is an active session with session id XXXXXXX? I've thought of a few options:
Check sessions table for IP and timestamp within a certain range. Obviously this would not be a good option because some large groups and organizations use the same IP.
Pass the session ID as a GET variable, downside is these links may be shared or saved for later use.
Pass as POST var using a form button
Use some kind of redirect variable dynamically created that is only good for a small time frame (i.e. 10 or 30 minutes) and then deleted
Am I missing a possible solution?
Our ultimate goal is to track a visitor through goal completion so we can show conversion rate, bounce rate, etc. To do that we absolutely have to match up a visitor from clientdomain.com to client.ourdomain.com.
Thanks in advance!
Your first option is the answer, SessionID + IP = Unique.
User A and User B may have the same IP but their session id is different.
Fifth:
go
redirect-to-secure.php:
header('Location: http://client.ourdomain.com/?clientSession=' . session_id());
On client.ourdomain.com, if you detect clientSession GET param, save it to session and redirect to page without clientSession. This way browser won't remember this url.
I have a two diff. project on my XAMPP say it is Project1 and Project2.
When i login with Project1, i check authentication and if it is successful then stored session. The session name is $_SESSION['username'].
The above process is same with Project2.
now,to prevent direct access,i use this code(in both project):
if($_SESSION['username']=="")
{
header("location:index.php");
}
so when i login with Project1, i am also access Project2(without login).
To prevent this, i know that if i create diff. session name for both project then it is solved.
The above thing is in my local server. so i can create diff. session name for my all project.
But suppose my site is online and what happen if my session name is match with diff. site?
There is a millions of websites and there is a possibility that my session name is match with another website's session name.Then this might be happen that some user access my website with another website(in same browser) and he might be access my site without login.
So what happen if session is same for two diff. website? Can user is access my website without login?
If yes then what should i do to prevent it?
Thanks in advance.
UPDATE
according to #Let me see's answer there is a possibility that if two sites are running on the same server then they may share the data.
So suppose the server is sharing then what should i do to prevent it?
Sessions are (usually) stored using cookies, and cookies are domain-specific. So, it doesn't matter if google.com or evilhackerdomain.ru uses the same session name as your app; your cookies are only readable/usable by the domains you specify. Even in the unusual scenario that sessions are managed in some other way, it will be domain-specific.
So suppose the server is sharing then what should I do to prevent it?
To answer your follow up question. You can simply name your session on a specific website using session_name() before your session_start().
session_name('PROJECT1');
session_start();
this one-liner should do it.
Normally the sessionID of the sessions is stored in a cookie and it is related to the hostname and it can be shared by the multiple hostnames having the same domain. and as it is obvious that sessions are stored on the server . So there is a possibility that if two sites are running on the same server then they may share the data..Therefore you should always change the path for storing the sessions on the server for every different website
PHP Sessions are stored in Server. So there won't be any clash between same session names when you go live. Remember, You still have option to store your session in database, which helps you with more secutiry.
Nothing will happen. Because the other Site uses its own database (with own session and user tables). It would only matter if two Sites share the same Database, same tables and same session handling.
User cannot access without log in because of following reasons,
The session data is stored on the server. If two applications are running on the same server and the same domain name, then the possibility is there for them to share session data. Otherwise no conflicts with session values, if the domains are different.
I think if we use a security algorithm like MD5 to encrypt the session which you'll using to login. That will work without problem. For example:
$name_session='username';
$name_session=md5(md5(md5($name_session));
$_SESSION[$name_session]="username_logged";
I have created a mobile version of a site. It uses the CodeIgniter session to store some data. This seemed okay on Blackberry a few weeks ago but now it is making multiple sessions on every page and therefore it can't access the session where the data is saved. This works fine on the desktop and iPhone. The cookies are being saved to the Blackberry. I've got it so that it using the database to save the data.
On every page it checks to see whether the phone is touch screen to show the page differently. There is also some other data. It's all being saved but into many sessions.
It's on a subdomain - m.domain.com so I'm wondering if the domain name for the cookie might need to be set differently.
EDIT:
I managed to sort it out by saving the session id in a different cookie and then calling that in a query to get the info. Thank you to the person who replied.
do you proceed you session-id on every link and every form? if not, and the client doesn't accept cookies the session will be lost on every new page load - exactly what you're describing.
EDIT: to correct that, take a look at the documentation (+ Passing the Session ID) - just add the SID-constant to all you links and forms, it will automatically be empty if the browser accepts cookies, so the url isn't that ugly for those clients.
I mean you can login both https://mail.google.com/ and https://mail.google.com/a/company.com at the same time.
The projects I've attended so far haven't involved such kind of logic,how can these two url under the same domain use different $_SESSION?
I think there is not inbuilt session management feature in PHP.
You can use variable specific management in session.
for eg.
one login from https://mail.google.com/ then store all it's session data in $_SESSION['gmail'][X] , $_SESSION['gmail'][Y],$_SESSION['gmail'][Z]
and then in when another user login from https://mail.google.cpm/a/company.com then store all it's session data in $_SESSION['company'][X],$_SESSION['company'][Y],$_SESSION['company'][Z]
so by this, you can separate those two sessions from each other.
Those two URLs share the same domain. Only the subfolders are different. Usually with PHP, the cookie which saves the session id is valid for the whole domain and not only a specific subfolder. So there should be no problem using the session data with the same domain.
Maulik Vora's answer will work, but another way to do it is to configure PHP to used URL-based session ID passing. That way every tab or window has a separate session. See this page for information on how to do it, and why you may or may not want to. Here's the docs for it.