Loggin a user across different domains - php

two years ago I had to design a system to share authentication data across multiple domains, all of them shared the same server/db. I was able to pull this off with a complex system of cookie sharing which, to date still works.
I'm now in the process of redesigning the system and I was wondering if there are better ways to achieve this without having to write cross domain cookies.
Basically the system MUST do this.
Once logged in one site the user must be logged in all of the other site seamlessly, not only following a link, but even by directly writing the domain name on the address bar.
To my knowledge the only way to achieve this are cross-domain cookies, if there are alternatives please tell me.
Thank you very much

My Idea would be to include a login-Javascript from a third domain which gets includet in all sites. This javascript sets and reads the session-cookie and calls the current domains server via ajax with the result. (No validation should be done in the JS - this simply sets and reads the cookie)
If cross domain AJAX does not work, you can still call the thirds domain server which acts like a proxy and calls the current domains server.

The StackOverflow sites have implemented something similar to this. Check out the details at the following links.
Here is a post giving an outline of how they did it.
And here is even more detail.

For this you do have to use cookies, but you can vary what you store in the cookie. The cookie doesn't have to contain user credentials but can instead contain something more like a token that you use to "centralize" your sessions.
Easies way would be to let all hosts share a single memcached server and use the content of the users cookie as your key.

Related

Recognising visitors between domains

Is it at all possible to retrieve user information that can be used as a unique identifier between domains?
As a quick example of what I am trying to do (not exactly this but the theory is the same) say you had a main website at UK-news.com. You also had three other sites - England-news.com, Scotland-news.com and Wales-news.com, all hosted on the same server.
All 4 sites will share the same database and each would just pull the relevant info out of it. If a user becomes a member of one of the sites, they will also be given the option to become a member of any or all of the others. If a user signs-in to one of the sites he is a member of, and then goes to another how can I get that site to recognise him from the one he signed-in on so he is automatically logged in?
My theory was to store some user information (IP, USER_AGENT, browser, screen resolution, computer name, OS) in the database via PhP and then check against all of those as the user moves between sites. however, even checking against all of these, I am sure it will be possible for two different people to have exactly the same details.
Are there any truly unique identifiers that will guarantee that a person is recognised between domains?
Thanks
Steve
I dont know what is the configuration of your server, but. If one site is under something.domain.com, and another something2.domain.com, and the domains England-news.com and Scotland-news.com are only links to those sites, you can use url overwrite, and cookies sharing over subdomains option in php. But I think that this is not the case. So...
There is no 100% sure user recognition. And this is great, imagine what will happen if there would be. You can NEVER trust user data, and headers data, while sometime you can not even trust $_SERVER array. So there is no option to recognize the same user over few domains.
1) The only answer that is useful is to suggest you to share the user mysql table, and make all the logins and passwords same for each site. IN that case someone can login into another site using the same data.
2) You can try to rely on second hand services like google acount or facebook acount to verify users on your site. But you must remember that there are people without gmail and facebook, and availability of such a site will be reduced.
3) Use a serrvice like forever cookie, or something like that, but this is also not 100% sure. It is using html5 storage, flash objects, and everything to verify if this is the same user. But as far as I know, everything can be ommited, if you are patient enough.
Best regards!

PHP session across multiple domains

I have a webservice (abc.com) for my company with an own user database and it is working just fine. Now my company wants to add some additional services which are located on a completly different server with another domain (xyz.com) but still use the same login data from abc.com because we have complete control over it and there are going to be similar servers like xyz.com so it is out of question to just import the user database on xyz.com.
My first thought was to use my checkuser.php from abc.com while submitting the login form from xyz.com but then I learned that the session cookie stuff is bound to the domain. At least that is how I understood it.
After that I wanted to access my checkuser.php via AJAX and HTTPS and submit the session data encrypted via POST to xyz.com. That failed too as AJAX seems not to work across multiple servers for security reasons.
Now I am out of ideas and dont know how I can securly authenticate out users on the foreign servers using our user database.
I would use single sign on (SSO) in stead of a shared session. That way, you don't make the sites code dependent on each other. If you later decide to change something on one of the sites, there is less reason to worry about breaking functionality on the other sites, and if you choose to link in a new site you are able to reuse the same solution.
What's better is that someone already made it for you, and it may even be more secure that what you'll be able to create yourself.
Wikipedia has some good general knowledge on SSO. Also, look into OAuth and OpenID. Combine these terms with PHP and a search should get you on the right track.
Another option is to simply have the login function on xyz.com connect directly to the database of abc.com to check the login name and password. Then you use xyz.com's database for everything else. Also if you really wanted to you could store the session information in your database on abc.com instead of a temporary file then you can also access that data from xyz.com. Here is an example of how to do this.
I haven't been working with php very long and have not encountered this problem myself, however, I've been hitting the books hard and came across an answer that my help you out.
If you are just trying to access the scripts and DB on server xyz.com, you can literally grab the content of a script using its url or IP address from within a script located on a separate server (abc.com) using the following function:
/* This example allows my example script on server mvc.com
to access the script on oreilly.com */
file_get_contents("http://oreilly.com");
Since you are accessing the code remotely, and I'm taking a shot in the dark here, I think that file_get_contents ( ) would allow you to set variables via $_POST or $_GET methods from the script on server xyz.com and send the values to the script on server abc.com. From there, you could then store these variables inside $_SESSION variables located on a single server, which ever server that handles the original $_SESSION variables and most of the processing.
It could become a quite complex 'game of catch' between the servers if you need to go back and forth frequently, but I think it may be a way around your problem if you can't move the data onto a single server. If you plan the structure of your scripts well this would allow you to store those $_SESSION variables all in a single place.

How to keep PHP session intact when another server is making the request?

I have a secure site with private information that uses https. We have a partnership with another site that provides functionality for our users. We want the header and footer to be the same, but the body functionality to come from their site. I thought I'd create a template file that they can request from our server, which would allow me to keep creative control for whenever our site has changes.
However, the header has account information, so it needs to access the session information for the current user. So number one, is this possible? If a user clicks from my site to theirs and they request the template from our servers, how can it be sure to connect to the correct session? And number two, is this safe? How can I be sure this connection is secure?
Edit: It appears this option is not worth pursuing. I'm going to work on some other ways for the other server to access the information. Thanks.
What you are trying to do in that way is a completely mess.
You should avoid outtputting a page built from different website putted all togheter.
That would become:
Hard to maintain;
Prone to security hole.
If you want the file on your site to be a template, it should be only that. Have the other site add the information to the header after fetching it.
I think for what you are doing, the only option you have to is to redirect any request through your server acting as a proxy to maintain session vars without causing to many security holes.

remote user name

Is it possible to get remote username when I get a referral link without involving any server side code from the referral link?
Do you mean like if I clicked a link to your site on Stack Overflow, you would want to be able to see that my username is "Agent Conundrum"? No, you can't do that without the help of the referring site. The only information you should be able to get is the (permanently misspelled) HTTP_REFERER in the $_SERVER superglobal array, which tells you the page the user came from. Even then, there are ways to block or change this so you shouldn't count on it being set (especially since it wouldn't be set if the user navigated directly to your page via the address bar).
Frankly, I wouldn't want to use a site that leaked personal information (and for some sites, even the username qualifies as personal information), and I wouldn't want to use a site that tries to harvest such leaked information without my knowledge.
Generally, any site where you have a legitimate reason to broadcast this information would have some sort of API built in, like FacebookConnect. Even then, it should be strictly opt-in for the user.
As a general thing: no. The HTTP protocol does not involve the transmission of a remote user name.
Hey, it could help to answer if you would be a little more specific on which kind of service are you trying to fetch the data from.
Large/Public services tend to have somekind of an accessible API that you can fork on your referrer, but other than that its mostly that you need to regexp the site and know the structure of the HTML pretty much.

Cross domain cookie tracking

The company I work for has four domains and I'm trying to set up the cookies, so one cookie can be generated and tracked across all the domains. From reading various posts on here I thought it was possible.
I've set up a sub domain on one site, to serve a cookie and 1*1 pixel image to all four sites.
But I can't get this working on the other sites.
If anyone can clarify that:
Its possible?
If I'm missing something obvious or a link to a good example?
I'm trying to do this server side with PHP.
Thanks
Are you having issues due to Internet Explorer and their Privacy stuff?
Session variables are lost if you use FRAMESET in Internet Explorer 6
Back in my former internet days, when IE6 first came out, we had to implement this because it broke some of our tracking. Its amazing that all you have to do is fake it, and everything works fine.
Your on the right track, we had a domain that hosted the tracking cgi that served the 1x1 transparent pixel and tracked what page a user was visiting. We then had a custom parser that would combine that data with Apache logs and dynamically created a graph of users traffic patterns through our website. This was using dot from the Graphviz package.
This kind of thing is pretty easy if you are just trying to do stats, but if you're actually trying to persist user data across domains you'll have to do something more complicated.
The best way to set a cross-domain cookie is to make sure all your sites are subdomains of one master domain, say initech.com. So one of your site, site1.initech.com, sets the cookie with a domain of ".initech.com" and it works fine.
It could be a problem if your sites are on totally different domains though.
Rather than try to set one cookie that each site can access, what you'll have to do is make sure that each site has its own exact duplicate of the original cookie. So, have your site, site1.com, set the cookie for itself and output three 1x1 gifs, or AJAX calls or whatever, to site2.com, site3.com and site4.com setting the same cookie to the same value.
This will be difficult to do securely and reliably ;)
To make sure somebody can't set arbitrary cookies on your domain, you'll habe to pass through a hash of the cookie value on the image tag. If the cookie to be set is "mycookieval", also pass through md5("mycookieval"."somesecretstring".$_SERVER['REMOTE_ADDR']). This is potentially bad because it might allow an attacker to set the same cookie to the same IP address, or possibly to brute-force the hash generation.
You could compensate for this by inserting a record into a backend database whenever you set the cookie, and having the other three sites check against it for validity.
This question's pretty cold, but in case anyone else stumbling on it, or the OP still has need, I've created an NPM module, which allows you to share locally-stored data across domains. It looks like this would exactly address the OP's need here, and it doesn't require all sites share a base domain.
https://www.npmjs.com/package/cookie-toss
By using an iframe hosted on Domain A, you can store all of your user data on Domain A, and reference that data by posting requests to the Domain A iframe.
Thus, Domains B, C, etc. can inject the iframe and post requests to it to store and access the desired data. Domain A becomes the hub for all shared data.
With a domain whitelist inside of Domain A, you can ensure only your dependent sites can access the data on Domain A.
The trick is to have the code inside of the iframe on Domain A which is able to recognize which data is being requested. The README in the above NPM module goes more in depth into the procedure.
Hope this helps!

Categories