need advice on sessions across multiple domains...

[slushpuppie]

i have a site with several domains, which the client insists upon keeping available... so rather than have domain.net and domain.org just redirect to domain.com, they want you to be able to visit any of them via that url.

 

however many people post links in the forums on the site, which go to domain.com or www.domain.com, and if you're logged in on anything other than where the link goes you are seen as an invalid user and required to login on that domain.

 

so for example, i go to domain.com, login, and then click on a link to www.domain.com/awesome_page - i get an error that i'm not logged in and have to login again. i've read some about how you can set the session_cookie to ".domain.com", but what about if i'm on domain.net?

 

any ideas? any input at all? i'm kind of at a loss, and don't want to try implementing anything with my current level of understanding of this issue.

 

thanks in advance.

[Q695]

You can either do a php header, or an include on the primary site.  Both of them work the same way essentially.

[gizmola]

That can't really be done because sessions use cookies, and the cookies are relevant to the domain.  You could set up a hack where you pass the session ID as a url param, and then write some custom code, but this will open up a whole can of worms, and also leaks the session ID into the urls, which will then be pasted by the users into the links leading to people attemting to session hijack other users.

 

Bottom line: you need to explain to the clients that their desire is incompatible with the technology platform being used.  There are solutions to these problems if the user wants them bad enough -- for example, consider something like an ID server that all the sites in the network utilize to provide identification.  This could be used, and as long as all the web servers in the network use the same session storage (this could be memcache, or an NFS mounted volume) you could construct a work around, but it is by no means a small job.  If they want it badly enough, will accept the recoding and probably substantial reworking of security code, you can get this to work.

[slushpuppie]

gizmola - thanks. we're going to do our best to get the client to allow us to redirect all her domains through one address. thanks again.

[Q695]

If they won't let you change it there, you can just use this code, but change example.com to your site.

<?php
header('Location: http://www.example.com/');
?>

[gizmola]

Q695--

 

Umm, do you even understand the problem articulated?  Exactly how would redirecting to another site keep the user logged in across domains?  Right......

[MasterACE14]

Hmmmm, hmmmmmmmmmmm, hmmmmmmmmmmmmmmmmmmmmmmmm

 

it just really can't be done lol.

[laffin]

Q: is there some reason you want to share the session information?

  Like yer sharing the same MySQL database or something?

 

Because there may be a way to set/copy session data from one domain to another.

 

but as gizmola states, it will have its drawbacks.

1) Once ppl realize this is what yer site is doing, be prepared for hacking attempts against the script.

 

I really dun see any advantage to this, unless yer using the same userbase across all sites.

 

the thought is to create something like email validators work.

a custom link is given, and information can be retrieved from a central database server. and store the relevant session data here for sites to grab and use.