I have two domains. One domain contains the login script. It creates a cookie when logged in. Another domain have a URL shortener.
So, on the 2nd domain that have the URL Shortener script have a file called session.php. Usually I was using $_COOKIE['sessionid'] to get the session id and match it using database.
How can I get the session id now? I have tried few ways but none of them have solve my problem.
For obvious security reasons, you can't read a cookie that belongs to another domain. You can do it across sub-domains though.
Why not append the session id to the forwarded URL?
Have you considered using a SSO implementation?
http://www.jasig.org/cas
http://en.wikipedia.org/wiki/Single_sign-on
We use it at work, it's awesome! It means we don't have to worry about these types of problems.
Cookies are sent by the browser and only to the domain, the cookies were set for.
There is not much (meaning nothing ;) ) you can do.
But if your domains are two different subdomains (e.g. login.yourdomain.com and shortener.yourdomain.com) you just have to set the domain name accordingly to make the cookie valid for all subdomains.
In this case, it would be .yourdomain.com.
You might want to read the documentation of setcookie().
Maybe it is better if you clearly describe what you want to accomplish. Probably there is another solution that does not involve cookies.
Just while setting cookie from the login page
set the cookie to entire domain like this
setcookie("c","value",time()*3600*24,"/");
in this way you can set cookie to your entire domain.
You can't read a cookie from the other domain.
though there are several ways to pass a session id. You can search SO for the cross-domain authorization
The easiest way is to pass a session id via query string
You can't. Cookies are bound to a single domain. You can use cookies across multiple subdomains though.
Related
I have two domains that I want to communicate. I want the first domain to set a cookie in the second domain telling the second domain that the current user is known to the first domain. I understand that I cannot read cookies for another domain, but given that I have access to both, is there a way to accomplish this?
Both domains are implemented in PHP. One is a Drupal site and the other a WordPress site.
Server can't read cookie for another domain but, you can add cookie for another domain. When adding cookies, you should add double cookie. First your normal cookie and second for another domain. Both values are the same.
I have a site set up on www.domain.com, the site can authenticate users and persist their credentials in a cookie.
On occasions the users access handlers that are set up on different servers on a different sub domain. handlers.domain.com
I can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)
My solution for access control up until now was that every URL used for handlers.domain.com had a guid specific to the user. The handlers on the other site would assume the identity of the guid owner. This of course is not such a good security practice.
i was thinking about an alternative solution: All links to handlers.domain.com will actually be links to a redirector script on www.domain.com that will redirect to an encrypted time stamped url on handlers.domain.com which will then know for sure that it was accessed as a direct authenticated redirection from www.domain.com.
This solution will work fine on GET scenarios but will fail with handlers expecting POST data (up do big uploaded files)
Does anyone know or can think of a better solution or have any insight on my solution?
(In this case I am using ASP.NET but the solution will probably be platform agnostic, so I will tag this with various web platforms)
Thanks!
As you do not want to use cookies to establish a session (group of requests) you need to find other ways. As the information of the cookie is passed readable within the HTTP request, I do not see a problem if you for that one particular request pass that information as part of a POST request.
If you prefer a GET request I would additionally add a flag inside the users server-side session prior the redirect so to give the script that is the destination of the redirect the possibility to verify the validity of the request on the server-side.
You said you "can't afford to use wildcard subdomain cookies (Cookies should not be available for other subdomains)". Does that mean you can't afford it monetarily or you you don't want the user to have access to all subdomains? If it's the second, you could still use subdomain cookies by putting in an encrypted value with that user's ID and check it versus access permissions on your various subdomains. That keeps everything at the server where it's more secure versus at the URL level. The only way a potential hacker can get past it is to guess another user's ID and figure out your keys for properly encrypting it.
I have done a redirection from www.abc.com to www.def.com using .htaccess.
The redirection is successfull but I have a problem whereby the cookies and session can only be accessed when I access the website using def.com.
The session will be missing when it is checked from abc.com.
How to copy or read the session at def.com?
Please Help me.
well you can't do it simply. Maybe see this post ?
Your cookie containing your session id (and therefore, your entire session) is only valid on the domain where it is created. So when you change domains, the cookie is no longer available. To work around this, you could send the session ID to the new domain (which is not very safe, but you might not care), and then creating a new cookie and session for that domain.
This is called "cross site scripting" (XSS) and a lot of people work very hard to make sure that what you want isn't possible. If you do find a way to do it, be sure to let us know, because that would be a MAJOR security breach.
You can only share the same session on both domains when you have access to the session data storage from both servers. Depending on the session data storage type and location, you might need to write your own session storage handler.
Besides that, you also need to make sure that the same session ID is used on both domains. If you want to use cookies for the session ID, you can only do it when your domains share a common super-domain, so they are sub-domains of the a domain like foo.example.com and bar.example.com share the super-domain example.com. In that case you need to adjust the session cookie parameter domain and set it to value .example.com for the super-domain example.com.
Otherwise, like in your example where the domains do only share com as a top level super domain, you can’t use cookies (in the first place). But you can use the URL to transfer the session ID from one domain to the other domain. To do that you need to enable session.use_trans_sid and disable session.use_only_cookies (both at least on the redirection target domain) and append the session ID to every URL pointing from one domain to the other (here you can use the SID constant).
I was brought aware of this issue by some users on my website. A user many enter into their browser http://xxxx.com and then login. Then they may click on a link that brings them to http://www.xxxx.com it asks them to login again! Is this a known issue that anyone has encountered before? I tried googling it but im not sure if im using the wrong keywords or what because i cannot find anything related to this.
Thanks,
Ian McCullough
As far as your browser is concerned, www.xxxx.com and xxxx.com are different domains. The same-origin policy prevents accessing cookies across domains.
However, the browser is aware of subdomains, and a subdomain can access the cookies of a parent domain. So, if you want to make your cookie accessible to both xxxx.com and www.xxxx.com, just set your cookie on .xxxx.com and you'll be set.
When you set a cookie, you can optionally specify which domain the cookie is set for. If you don't, the cookie is particular to that hostname only, and thus if the cookie is set on www.example.com, it will only be returned by the browser on that hostname or below.
If, when setting the cookie, you set the domain to "example.com" it should work also on "www.example.com".
The problem is that the more specific cookie will override the less specific one, so if you've previously set a cookie on "www.example.com" it will continue to override the new one set for "example.com", rather than being replaced by it - you would first have to delete the one set for "www.example.com". It gets tricky since when the client returns a cookie to the server it doesn't say which hostname the cookie was set for.
People seem to be assuming you're using a cookie to perform authentication but are skipping what appears to be your root question. Trevor briefly touched on it, but still kept to the cookie concept. As far as http is concerned, www.xxxx.com and xxxx.com are different subdomains on the same top level domain. Hence, while they may be the same ip, same website, same everything, the browser request and the server's response are considered to be 2 separate domains/sites. Sessions are not shared across subdomains unless you have a separated session state (such as a SQL Session store, etc).
However, if you are using cookies for authentication, you can add a check for the cookie and rebuild a fresh session if the data in the cookie is valid (and sufficient to reconstruct session). Otherwise you'll have to separate session state from the process into a data store.
Check the domain of the cookie, when creating a cookie you can specify if it is for all sub domains, the root server, specific sub domain, etc. To handle all, the cookie would be for .example.com
i am using php 5.2.8
i have index.html, which loads LOAD.PHP from IFRAME.
iframe src="load.php".....
i printed out load.php's session id.
then i ran another test.php, and printed out it's session id.
php session id's were different.
therefore, i cannot pass any session variables....
what is happening here ? this problem did not happen before, suddenly today it started happening.... however this problem still exists....its driving me nuts !
session.saved_path is same for both.... /var/php5, cookie path is same...
If PHP is creating a second session ID on the second load of the page, then it means that the first one was not passed back properly. Likely, the cookie is not being set for some reason. Things to check:
Test in multiple browsers?
Did you disable cookies in your browser somehow?
Is the iframe on a different domain or subdomain that might prevent cookie passing?
Install LiveHTTPHeaders or some other firefox add-in to check the cookies you are receiving
http://www.example.com will have a different sessionID than http://example.com
(not really an answer as your questions doesn't seem to me to have enough data to provice a certain answer, but rather a few things to check about)
The files are in the same domain and directory and the cookie are not limited to a different directory (i.e. path=/)? (note: they're not limited unless you tell that explicitly with session_set_cookie_params)
Is the browser sending the cookie (or are you maybe in "incognito mode")? If cookies don't work PHP will probably try to pass Session IDs in the QueryString and fail, if you go to test.php writing its name manually and not following a link (usually I use session.use_only_cookies=1 to avoid that).
They will have different SID if they have different cookie domain or cookies are not working at all and PHP is configured to use only cookies for session ID (session.use_only_cookies=1).
Cookies domain is explained here
Only hosts within the specified domain can set a cookie for a domain and domains must have at least two (2) or three (3) periods in them to prevent domains of the form: ".com", ".edu", and "va.us". Any domain that fails within one of the seven special top level domains listed below only require two periods. Any other domain requires at least three. The seven special top level domains are: "COM", "EDU", "NET", "ORG", "GOV", "MIL", and "INT".
The default value of domain is the host name of the server which generated the cookie response.
So set a common domain for your hosts and they will share cookies, thus PHP SID :)