Jump to content

Archived

This topic is now archived and is closed to further replies.

redbullmarky

sessions across site

Recommended Posts

Hi All

Just hoping to get a bit of advice about how to approach this one.
I'm currently redeveloping a clients' site. This site is hosted on a server with the www.mysite.[b]com[/b] domain name. the new site exists on my own server, and has the same domain name with the co.uk equivalent: www.mysite.[b]co.uk[/b]

Now - the new site is not ready, but one particular feature is, which the old site will link to via its navigation.

The new site and the new feature needs to know if the user is logged in on the old site. The old site keeps a user logged in using Session variables.

Can anyone think of the best way that I can pass the session details from the old site to the new without sending them in the clear or exposing any security problems?

Cheers
Mark

Share this post


Link to post
Share on other sites
well if you ran a DB based session and both sites are working with the same database that would be no problem

Share this post


Link to post
Share on other sites
Yeah I think you should use databases to communicate between sites.
I don't think cookies would work.

But if you transfer session data (check session.save_path), and can pass the session id using... Maybe that could work, dunno.

Share this post


Link to post
Share on other sites
[!--quoteo(post=382255:date=Jun 10 2006, 05:17 PM:name=joquius)--][div class=\'quotetop\']QUOTE(joquius @ Jun 10 2006, 05:17 PM) [snapback]382255[/snapback][/div][div class=\'quotemain\'][!--quotec--]
well if you ran a DB based session and both sites are working with the same database that would be no problem
[/quote]

hi
i've actually looked at this one - although the coding on the old site is so poorly coded that getting it hooked up with custom sessions (which the new site actually uses) would be far too much effort. i've thought also about using a script on the old site to $_POST the values to the new site, only once again it's a ballache doing anything with the old code, and as its unfamiliar territory (POSTing values to a site without forms), i wouldnt be comfortable doing it as i'd want to keep things secure and solid.

Cheers though - any more thoughts from either of you or anyone else would be appreciated

Mark

Share this post


Link to post
Share on other sites
$_SESSION's when are just serialized arrays. You can do this:

1. Create a mysql database with the fields "session_id" and "session_data".
2. From the old site, store the users session_id and serialized session data, like:

[code]$id = session_id();
$data = serialize($_SESSION);

mysql_query("INSERT INTO `sessions` (session_id, session_data) VALUES ('$id', '$data'");[/code]

3. Pass the session ID via post/get
4. Retrieve it from the other site, and populate session variables.
5. Delete the entry.

NOTE: Obviously both sites must access the same database

Share this post


Link to post
Share on other sites
You can use this php function:

session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure]]] )

--try using '.domainname.com' as the domain --starts with '.'
or try '*.domainname.com' --start with '*.'

--the function would have to be reexecuted on every new page.

Share this post


Link to post
Share on other sites
[!--quoteo(post=382343:date=Jun 10 2006, 02:11 PM:name=mainewoods)--][div class=\'quotetop\']QUOTE(mainewoods @ Jun 10 2006, 02:11 PM) [snapback]382343[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You can use this php function:

session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure]]] )

--try using '.domainname.com' as the domain --starts with '.'
or try '*.domainname.com' --start with '*.'
[/quote]
I don't think that would be possible.
Or we could all steal other people's sessions, couldn't we?

Share this post


Link to post
Share on other sites
-it's supposed to work. Read it on user contributed notes on php.net. Usually xxxxx.domain.com would just be a subdomain of the main domain. I never thought of it, but you're right, that would be a security problem on shared web hosts.

I found it in the user contributed notes about halfway down this page:

[a href=\"http://us2.php.net/manual/en/function.setcookie.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.setcookie.php[/a]

-It has to do with cookies but I assume it has to do with sessions too

--tell me if this actually works because it would be a security risk if it did!

Share this post


Link to post
Share on other sites
Hi
Thanks for your suggestions. I think, poirot, that your way would probably be more suitable in this case. The ONLY gripe is that i'm not really a fan of allowing access to a database via anything other than 'localhost', but as it would seem to work, its prob gonna be the best solution here so far.

Cheers
Mark

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.