we are solving the problem with eshop (php, mysql). The client want to have the same eshop on two domains with shared shopping cart. In the shop customer can do the shopping without users account (can't be logged in). And there is the problem, how to make the shared shopping cart cross domain.
The data from cart is stored in sessions, which we stored in database too. But we can't solve the problem in carrying data over domains. Identifying unlogged user is not holeproof (research).
The example, how it should work
Customer goes to domainOne and add some things to the cart. Than he goes to domainTwo (by link, typing domain address, however) and add some other things to the cart. In the cart he has things from both domains (after refreshing page).
Do you have any idea, how to solve this problem?
What didn't work:
redirecting is not possible due to customer requirments
cookies are related to domain
set_cookie with the other domain didn't work
the simpliest way is to carry over only the sessionid (stored in cookies) but we don't know, how to wholeproof identify unlogged users.
is there any other place, where data can be stored on client side except cookies? (probably not)
we can't use sending sessionid by params in url (if user click to link to the other domain) or resolving the header referer, bcs we don't know, how user can achieve the other domain.
If you can't understand me, take me a question. If you think, that having eshop on two domains with shared (common) cart is bad idea, don't tell me, we know it.
Thanks for each answer.
You can use a third domain to identify your customers over all domains.
Use for example a PHP File on http://thirdDomain.com/session.php that is included on all pages on both shops.
Sample:
<script type="text/javascript" src="http://thirdDomain.com/session.php"></script>
After your customer switches domains, you can identify him as the same customer using the third domain.
You can assign the session id on both shops to the session id on the third domain to access the cart on both shops. You only need to inform the third domain about your shop sessions (i.e. add them as parameter).
Depending on how flexible you are with your code and templates, you can even use an output from the third domain to define the session id in your shops. This way you can use the same session id on all domains.
But normally a session id assignment should be the more secure way.
Using the javascript version you can also output scripts that may add a session id to all outgoing links and forms to the other domain in the current html page. This might be interesting if you can identify your customer as having cookies blocked.
You can also use the javascript to inform the parent document about an existing session.
This keeps getting asked.
Have a search for SSO.
You need to pass the session id in the URL (or vai a POST) across the domains, then:
1) check the session does not already exist on the target domain
2) rebind the session using the session id sent
e.g.
if ((!$_COOKIE[session_name()]) && $_GET['passed_id']) {
if (check_session_exists($_GET['passed_id'])) {
session_id($_GET['passed_id']);
}
}
session_start();
...
function check_session_exists($id)
{
$path=session_save_path() . $id;
if (file_exists($path) && (time()-filemtime($path)<session_cache_expire())) {
return true;
}
return false;
}
This also means you need to add '?passed_id=' . urlencode(session_id()) to any URL pointing to the other domain.
C.
The schema is quite simple and widely used. By google for it's numerous services for example. You have a whole picture by tracking down HTTP interchange between your browser and various google services to get the idea.
Suppose we have our client authorized for the 1st domain. By getting to the second, we have to:
start a session and store some token in it.
ask browser to request 1st domain somehow and send this token along.
1st domain will recognize our client and make a connection in the shared database between this token and user id.
By requesting second domain again, we will have it authorized for it's already started session.
The only question remains is how to request 1st domain. It can be a picture, or JS request or entire page redirect. Certain choice is up to you.
You can use Flash LSO's for this matter i think. Normally LSO's are stored in their domain specific sandboxes, but if two domain objects allow, they can communicate as stated in the "cross-movie communication" section in http://download.macromedia.com/pub/flash/whitepapers/security.pdf.
For general info about LSO's:
http://www.adobe.com/products/flashplayer/articles/lso/
SSO.
CartA has iframe that 1) checks if the user is "active" (has session) 2) creates anon session
CartB has iframe that do 1) or 2)
iframe loads from SSO domain (any domain you can have)
SSO solution: build yours or use others - like simplesamlphp or something...
And there should be no need to pass sessions/params with URIs...
You can store data in other places than cookies (e.g. Flash cookies, localStorage) but all use same origin policy, which is the standard security model of the web: data stored by a domain can only be accessed by that domain and its subdomains. The standard workaround is to embed an iframe from the foreign domain into the page. That iframe will have access to the cookies of the foreign domain, and its url will be controlled by the local domain, which allows for communication.
A simple solution based on that is to have a table of (domainA sessionid, domainB sessionid) pairs. When a new user arrives to domainA, (new sessionid, NULL) is added to the table; the page shown to him includes an invisible iframe with source = http://domainB/mergeSessions.php?sessionA=1234. mergeSessions.php will then receive sessionA as an URL parameter and sessionB as a cookie, and update the session link table accordingly.
You could attempt to identify your visitors by IP, browser type, browser version, OS, screen resolution, and whatever else you come up with. That you store in the shared database when someone accesses either site.
If, within a small time window, say < 5 min, requests from that IP with those parameters comes, you can reasonably assume that it's the same user. Again, make sure you use everything you can find find to identify that user and by no means base anything secure on this or you will be subject to hijacking.
What about something like this, not sure how good it would be though.
User goes to store1. If user does not have a session cookie, redirect to a special page on store2 asking for the session id and sending the url on store1 to return to. The special page looks at the session cookie and redirects back to the original url on store1 with the session id (like the answer by #symcbean). Then on store1, the session cookie gets set(or created new) and no more redirecting happens. And then the same but oposite if the user is on store2 with no session cookie.
But if the user does not have cookies enabled, I can see an infinite loop happening. Not sure if it would be possible to detect and stop somehow.
But this way would be hacky at best.
1) Obviously, use the same session-store for both domains (files, database, memcached, the usual suspects.
2) If after session_start() the $_SESSION is empty, create an 'all domains' array in the session (do this on every domain, regardless which one it is, ).
$_SESSION['all_domains'] = array(
'domain1.com' => true, //<= current domain the customer is on,
'domain2.com' => false, //other domain, no cookie for it yet.
'domain2.com' => false); //repeat for all domains needed
3) Create a session-setter script on all domains (let's call it 'sesset.php':
<?php
if(isset($_GET['sessid']){
session_id($_GET['sessid']);
session_start();
//also, check here for the domains:
if(!isset($_SESSION['all_domains'])){
//set the array as before, flag this domain as true.
} else {
$_SESSION['all_domains'][$_SERVER['HTTP_HOST']] = true;
//you might want to set a custom domainname instead of HTTP_HOST, so you won't get doubles from domain with & without www. and so on.
}
}
?>
4) On every conceivable php HTML page, put this somewhere near the end of the body:
<?php
foreach($_SESSION['all_domains'] as $domain => $domainset){
if(!$domainset){
echo '<img src="http://'.$domain.'/sesset.php?sessid='.session_id().' width="1" height="1"/>';
}
}
?>
Not fullproof, but will get almost all users. Ofcourse, one could do it with a redirect cascade instead of 'hidden images', but searchbots (google et al.) very much get confused about it, especially if they don't remember the cookie and are stuck being redirected again & again.
easyXDM is a framework that allows the user to easily work around the Same Origin Policy.
Its built-in RPC feature is very easy to use, and you should be up in running in no-time.
For your case, select one of the domains to be the 'checkout'-domain (A) - this is the domain that will keep the session stored. On the same domain you create a small file with an easyXDM endpoint that is responsible for storing/retrieving the data sent from the other domain (B).
Now, in domain B, you include easyXDM and when storing/retrieving data from the cart, you access the RPC methods instead.
Option 1 Use Iframes:
Site 1 has an Iframe of site 2
Site 2 has an Iframe of site 1
When a user selects an item from site one, set the iframe value to a dynamic string ie domain2.com/iframe.php?itemid=someitem.
Have domain2 grab the $_GET information with PHP from the iframe and update the user's cookie.
Do the same in the other direction.
Option 2: Javascript includes
You can do something similar with cross-site included JS files generated by PHP to "pull" the contents of the user's cookie to the other site.
Option 3: Curl
Just post the data from one domain to the other, so both have a copy. This is the least secure method since there is no guarantee that the IP address or other identifying data can't be duplicated. Though, you can have some "question" or pass phrase to ensure it is the same person. Possibly by setting an email address?
Option 4: Third-party cookies
I think this one was already mentioned, but you can set the cookies from a third domain, so both sites functionally exactly the same rather than "toggling" back and forth between the two.
Related
I have a few domains all on the same server, with the same IP and the same databases - that can be accessed by all 5 of the domains.
I have recently remade my login system, so that on my main domain, the cookie works for not only the main domain but the sub domains as well. What this means is that if a user logs into one area, they are signed in everywhere. Which is great! I write a cookie with their hash (taken from the DB) and check for that when loading each page, and they are automatically securely signed in.
This is lovely, but the problem then comes when switching domains, as cookies seem to be locked down to domains. So my other domain (lets call it domain2.com) cannot read the cookie from domain1.com.
Are there any clever ways around this? I could write something to the database, such as IP, but that wouldnt be very secure as the company i work for everyone is on the same IP and therefore it wouldnt be specific.
Or I thought about maybe including a hidden iframe on the page, which actually links to a page on the main server, and pulls the information that way somehow.
I am not sure, but I am sure it can be done. Any ideas?
Browsers, for good reasons, do not allow cookies to be read from any other domain.
What you can do is have domain2.com redirect to a page on domain1.com which checks if the user is logged in and if they are it redirects back to domain2.com with the user's id which can then log them in.
You should not depending on original PHP session functions Collections.
Here is what I have done :
After login success , Server side should return a "session ID" to the browser and store by JavaScript or some how, mean while the "session ID" should be store in database as a successful signal and you do a login time next to the session ID if you needed.
Now you can share the session ID in any IP server you want and make your client connect to(some trick like you redirect to the new domain and post the SID) then establish a PHP session.
Building a web application that is 90% API-based, meaning it will be hosted on the client's website (eg clientdomain.com). When API calls are made, we are creating and storing a session ID on the client's domain, and we store all the stats on their activity while a visitor browses their site.
But there's one part of our application that is hosted on our servers, because it has to be secure (eg client.ourdomain.com). Visitors will click a link from the client's website to ours.
What's the best way to somehow tell the application on our domain that this is an active session with session id XXXXXXX? I've thought of a few options:
Check sessions table for IP and timestamp within a certain range. Obviously this would not be a good option because some large groups and organizations use the same IP.
Pass the session ID as a GET variable, downside is these links may be shared or saved for later use.
Pass as POST var using a form button
Use some kind of redirect variable dynamically created that is only good for a small time frame (i.e. 10 or 30 minutes) and then deleted
Am I missing a possible solution?
Our ultimate goal is to track a visitor through goal completion so we can show conversion rate, bounce rate, etc. To do that we absolutely have to match up a visitor from clientdomain.com to client.ourdomain.com.
Thanks in advance!
Your first option is the answer, SessionID + IP = Unique.
User A and User B may have the same IP but their session id is different.
Fifth:
go
redirect-to-secure.php:
header('Location: http://client.ourdomain.com/?clientSession=' . session_id());
On client.ourdomain.com, if you detect clientSession GET param, save it to session and redirect to page without clientSession. This way browser won't remember this url.
I am trying to write a php page that will load several different websites in different iframes. Several of those sites will need the user to login. What I need to do is basically allow the user to only type in the username and password once and then populate all the other forms (that are basically using the same user-pass pair for logging in)
Now i know that since those are external sites you don't have access to the DOM and XSS is not allowed and all, but i was wondering if theres actually any other way to achieve that.
Somebody actually suggested me to simulate keypresses and have a javascript that will basically go from field to field and essentially type in the username and pass but after doing some research I dont think thats possible since you can only simulate the event and not the actual keypress so...any other suggestions?
NOTE: I have also checked this but agreeing with the other sites/domains is not an option in my case!
Thanks -- Mike
that depends.
if those sites share a domain (the parent window and iframes), then it's possible for the top window to communicate with the child iframes. AJAX prevents cross domain (that includes inter subdomains) but iframes can communicate as long as they belong to the same top domain.
see https://stackoverflow.com/a/9338955/575527 and https://stackoverflow.com/a/9676156/575527
a better approach is to have a "top domain cookie" where that cookie is visible in all those iframes (assuming they are of the same top domain). login once using a single login page, then subsequent requests in the pages will need to check the cookie vs the session if that user is logged in.
or if those pages have different domains but access the same database, then one can just then pass the session id as a url parameter to the iframes rather than as cookies. then the website in the iframes will parse the session id and check in the database if those sessions are valid, are current, and are logged in.
all of which need additional CSRF and XSS checking as session IDs are in the open.
You cannot do what you describe in JavaScript.
However, depending on what you need to do with the data/websites once the user is logged in, you may be able to use a remote POST to simulate that behavior. See this question for more info.
I want to create a cookie from one domain once the user is registered in PHP. and make this cookie accessible to 4 other domains not subdomain. I know that cookies are not designed to be accessible for other domains. For example I have set a cookies variable $user_email from domain www.firstdomain.com and want to access it in other domains like www.seconddomain.com, www.thirddomain.com etc. May be this can be done using PHP or JavaScript. Any idea please.
Thank you!
When searching the cookie list for
valid cookies, a comparison of the
domain attributes of the cookie is
made with the Internet domain name of
the host from which the URL will be
fetched. If there is a tail match,
then the cookie will go through path
matching to see if it should be sent.
"Tail matching" means that domain
attribute is matched against the tail
of the fully qualified domain name of
the host. A domain attribute of
"acme.com" would match host names
"anvil.acme.com" as well as
"shipping.crate.acme.com". Only hosts
within the specified domain can set a
cookie for a domain and domains must
have at least two (2) or three (3)
periods in them to prevent domains of
the form: ".com", ".edu", and "va.us".
Any domain that fails within one of
the seven special top level domains
listed below only require two periods.
Any other domain requires at least
three. The seven special top level
domains are: "COM", "EDU", "NET",
"ORG", "GOV", "MIL", and "INT".
The default value of domain is the
host name of the server which
generated the cookie response.
read up here.
you can load an iframe from a host which then reloads itself with the encoded cookie value in the segment part (after the #).
you can then access the document.location attribute from the parent window (hits the only thing that is accessible). decode it and pass it to your server doing an ajax request.
This could look like so.
xss.php (located on cookies.example.com):
<?php
$data = array(
'uid' => $_COOKIE['uid'],
'loginhash' => $_COOKIE['loginhash']);
header('Location: xss.php#'.urlencode(json_encode($data)));
for this particular case it does not need to be the hashtag! its just convinient for other situations. this can also be done in javascript.
another website embeds xss.php:
<iframe id="cookies" src="http://cookies.example.com/xss.php"></iframe>
you need to somehow delay the following of do it in a loop that stops after 5 seconds or something.
if(document.getElementById('cookies').location != 'http://cookies.example.com/xss.php') {
// read location, extract hashtag, json decode using javscript, there you have your user. send it to server for validation or whatever.
}
this teqnique is called xss recieving. it is for example utilised by facebook for all their javascript connect libraries.
a probably better way would be some sort of token exchanging protocol like openid.
amazon uses this too.
you can set up an openid provider (there are librarys available that can do that out of the box) and set it to auotmatically redirect back without user interaction. i have often seen openid protocol used for some other purposes just like cross domain communication.
As you have already said, a cookie can only be set for a domain from that domain (including its subdomains). And if your domains do not share a common superdomain, you need set each cookie for each domain separately.
You can do this with a script that on each domain that sets the cookie for you. But make sure to authenticate requests to these scripts so that only you can set the cookies.
I had solved exactly same problem (actually also for 4 domains). The only solution I've came up with was, to include 3 hidden iframes on the 'Successful login page' and those iframes just load www.domain1.com/register_session.php, www.domain2.com/register_session.php, etc....
As a parameter for register_session.php I use 'sid' which contains session ID:
session_id($_GET['sid']);
session_start();
This is actually for keeping session alive on all those domains but the same would be for your case with cookies.
I ve done some scripts to handle multi domain cookie :
https://code.google.com/p/mudoco/
if you want to access cookie within different domains so this can be done with the help of javascript trick. As cookie can be accessed within same domain.
Create cookie on user’s browser using JavaScript on your first domain.
Set the name of the window to whatever value of cookie you want to carry to another domain by using window.name.
Step 2 should be performed on every page of the domain which has created the cookie. It could be easily by calling a JavaScript file on all pages.
When you move to another domain, and want to access the above mentioned cookie value, access it by using window.name as window has not changed.
Create new cookie on this domain and assign this value to it.
I have a small problem.
How do I set a cookie for multiple domains?
I do understand the security problems, and I am sure it has been done before. The reason for this is SSO.
ie.
account.domain.com will need to set domain logged in for:
domain.com,
domain1.com,
domain2.com.
Is there any easy way, using PHP and cookies, or any alternatives?
There is absolutely no way for domain.com to set a cookie for domain1.com. What you are attempting to do can only be solved by getting the user's browser to submit requests to each domain which will then set its own cookie.
Then you need a way for each domain to verify the user's identity. There are two approaches to this:
Back channel - the sites contact each other directly to determine if a user is logged in.
Passing a token in the GET or POST - when the user's broweser is redirected to the other site a digitally signed parameter is passed containing the identity and session status.
It's really quite complicated. I suggest you don't roll your own. Take a look at SimpleSAMLPHP for a PHP implementation of what I'm describing.
What you're attempting can't be done. (It's a browser security issue, not a PHP one.)
Other than using some form of off-site authentication, the nearest you can achieve is making a cookie accessible across sub-domains, in which case you just use the optional 'domain' arg of PHP's set_cookie function.
This can be done via one domain acting like a master and others like a slave.
Say we've got a domain accounts.domain.com and it's our master.
Then we've got our slaves domain.com, something.com and another.com
When you'll log on on domain.com, it'll be actually site accounts.domain.com, then you'll get a cookie with unique ID for your browser and then you'll be redirected to domain.com's post-logon landing page (ie. domain.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>). the landing page will contact the accounts.domain.com, querying it with the browser ID. If the transaction's okay, then you'll get logon cookie from domain.com.
Next, on every domain (domain.com, something.com and another.com) will be initial redirect to accounts.domain.com/roaming-check?return-url=<URL the redirect was initiated from>. Because we're returning home (we're logged already on accounts.domain.com), we'll be redirected again on our landing page (<domain name>.com/logon?check=true&unique-id=<browser unique id>&request-id=<unique request ID>) and from this point it's the same as the part with logging on. We're seamlessly roamed to another domain (without user knowing it as browsers doesn't usually show the redirected page until it passed the headers send(server)/receive(browser) section).
In case there's in fact no active logon, the site will save this "negative logon" to session and not try to check logon anymore (until we try to logon or load another domain).
I think this solution will suit your needs: "Simple Single Sign-On for PHP"