How do I pass PHP session data from one Apache virtual host to another? I am currently running Apache 2.2.17 and PHP 5.3.3 and I've set up one host to manage a single sign-on application and I need to pass this to two other virtual hosts that are running separate applications. This is something I intend to develop further, but for now passing session data would be the easiest.
Currently this code creates the first session in the SSO subdomain auth.domain.com and then passes the user back to the application interface app.domain.com (has been trimmed):
$user = new User;
$user->set_user_session();
Header("Location: $redirectURL");
exit;
The server is entirely managed privately so multi-user security isn't a worry. However, if anyone sees any security issues beyond that please let me know. If you know of a better methodology please share and I will research it further. I appreciate the help.
As far as I'm aware, PHP sessions are not (by default) virtual-host aware: you would need to pass the session ID as part of the redirect and then set it in the other virtual host. So something like:
$sessionid = session_id();
Header("Location: $redirectURL?session=$sessionid");
exit;
And then in the target of the redirect:
session_id($_GET['session']);
session_start();
Try that and let me know how it works.
Shared Sessions
If you are talking about subdomains (not specified) you may be able to set the cookie domain to just the domain so that the session ID is passed as a cookie between them
session_set_cookie_params(0, '', '.domain.com');
so, my.domain.com and your.domain.com both would get the cookie for .domain.com
With either option in place you could use a shared database or redis storage for shared session management. (share data between servers via Session storage)
As long the session storage configs are the same for all VMS.
Same Server
VMs on the same physical machine
session storage in files or memory will be shared via session IDs
MySQL Examples
https://github.com/sprain/PHP-MySQL-Session-Handler
https://github.com/dominicklee/PHP-MySQL-Sessions
Redis Examples
https://github.com/1ma/RedisSessionHandler
https://github.com/dostoevskylabs/slimphp-session-redis-middleware
Related
I am running a website on AWS with a domain name registered on Godaddy. The Godaddy domain mydomainname.com points to the IP of my AWS EC2 instance, which has public DNS ec2-x-xx-xxx-xxx.compute-1.amazonaws.com.
I am using PHP for the server side code and running into a problem with sessions. I set the $_SESSION variable when a user logs in, but the only problem is that if I log in at mydomainname.com the session is only set here and if I log in at ec2-x-xx-xxx-xxx.compute-1.amazonaws.com, the session is only set there. How can I get the sessions to coordinate across both of the sites, when they should be one-in-the-same?
I am a beginner at web dev, so please be kind :)
No one (other than you, and even then not for normal usage, just internal use and debugging) should be using ec2-x-xx-xxx-xxx.compute-1.amazonaws.com. Point mydomainname.com at it via DNS (using a CNAME, or Route53's ALIAS record) and have your users use the real domain name.
This won't work. Sessions require cookies on the clients browser which are sent with each request. This is the usual way that the server identifies which session relates to which incoming request.
The browser will only (almost only) send cookies back to the domain that issued them. This means that when the session sets a cookie from 'ec2-x-xx-xxx-xxx.compute-1.amazonaws.com', the browser will not send that cookie to 'my-domain.com' or any other domain.
There are a few exceptions and workarounds to this rule, Single Sign on being one example of transferring some state information between domain names.
If you are concerned about users accessing your website with multiple domains, then an solution is to configure the web server to redirect any requests for alternative hosts to the primary host name you wish to use on the server.
Background : I am creating a website (in the typical LAMP environment) that connects to a database via a PHP/XML based API on a different domain (but on the same server). The reason for this is that I do not want to have database connection details sitting on the domain I am working on. In order for this to work I've enabled "allow-url-fopen" setting for that domain.
My question is, since this is the only way I know how to do this, does anyone know a better i.e. safer and more secure method of achieivng this result?
If both the domains reside on the same server you do not need to use HTTP to get connected to MySQL, you can still login to your MySQL server locally providing the right credentials for your domain where the connection information is stored.
But it does not really serve a great security purpose, as if your connection details reside even on the same domain it is not a security loop hole as your PHP pages will not be server in any raw form as long as your webserver is configured to use PHP fine. You can and probably should keep them on same domain. In fact having a publically accessible API for database connection is a bigger loophole
I am using CodeIgniter. When I register a user from my browser, it stores the user in a session. The problem is, I sometimes log in from a 64bit machine and then I don't get the user details after registration. This only occurs on 64 bit machines.
According to my knowledge, sessions are server side so it should not cause errors from some machines.
So, I think it is an error when setting cookies. Are there any problems when setting cookies on 64 bit machines?
And I am using a firewall. Can a firewall block cookies and cause some problems?
A firewall shouldn't block a cookie. But, the internet settings for your 64bit machine might have something to do with blocking cookies. Check these.
As #Cez has pointed out, a software firewall could block a cookie. If you can clarify that you are using a software firewall, like Zonealarm, then I'd check these settings as well.
Yes, a firewall can block cookies, especially firewalls that run on your machine. Your browser privacy settings can also block cookies.
I'd use Fiddler or similar to inspect the web traffic and see if the cookies are being set.
CI sessions store the whole data in the cookie. This can create very large cookies.
It is possible that your firewall blocks this cookie. Since the problem only occurs sometimes it might depend on the content of the cookie.
We have a local web server in our office that we use for some reporting and mundane order processing -- nothing major. I recently added some quick code to add a cookie to certain workstations so the user doesn't have log in all the time. The problem I am running in to is that since the server itself acts as an additional workstation, people can access it from http://127.0.0.1, http://localhost or http://192.168.1.111. This ends up creating three distinct cookie domains. Is there any way to configure the server to force one or the other? Or is my only option to move all bookmarks to point to the actual IP address and warn people not to use 127.0.0.1/localhost?
The server is running Apache 2.2 on Windows.
You could check the $_SERVER['HTTP_HOST'] and redirect the browser if a visitor hasn't gone in via the correct hostname.
if('servername' != $_SERVER['HTTP_HOST']) {
Location('http://servername/');
}
If you're running an internal DNS server, you can configure a host/domain name for the server without having to register it - since it's for internal use only, you don't need to expose the name to the rest of the world.
Even without a DNS server, you can add an entry to each machine's hosts file to do the name->ip mapping.
Configure your site to use that name, tell everyone to use that instead, and then the cookies will take care of themselves, since they'll all be set using that host/domain name. You can then add vhosts for the IP-only hits and redirect them to the new named address.
Typically cookies are set to domain names, not ip address. When using a domain name you can use a wildcard setting
.apple.com
Then any variation of that domain will accept the cookies.
I have a local and remote version of a CMS I've built on top of a PHP framework - in the local version of the site, my authentication session works absolutely fine when I check it from a couple of 3rd party modules integrated into the site, however, in the remote site the session is always destroyed whenever I try to check it from any of these modules, which breaks my authentication handling. The code is identical, so I'm guessing that this isn't anything to do with the framework, more to do with the server environment.
The session config in php.ini is the same for both my local and remote servers. My local version of PHP is 5.3, while the remote version is 5.2.9, but I don't think that would be affecting this issue.
Has anyone any ideas what this could potentially be related to?
Can the web server write to wherever session data is configured to be stored? (usually the /tmp directory, but could be set to a different location in the php.ini file). Is the browser accepting the session cookie?