Sharing PHP Sessions Across Domains

[papaface]

Hey,

 

I am in the process of writing a script to share a php session across various domains I have.

The problem I have, is getting php to access the php session. It gives me a persmission error. It seems the session is being created with chmod 0600 which does not allow the other domains to access the session data.

When I manually chmod it to 0777 the session data can be retrieved across my domains.

 

Is there a way (maybe in php.ini) to change the permissions the sessions are given?

 

Thanks

[oopholic]

Use a database to store them.

[papaface]

How can I do that as I need to be able to tell the sites what PHPSID to use?

[greatstar00]

connect to 1 database from all domains u have

for example

sample1.com connect to database 123.123.123.123

sample2.com connect to database 123.123.123.123

sample3.com connect to database 123.123.123.123

database 123.123.123.123 has the following table

user_session

phpSID

 

hyperlink

sample1.com?phpsid=31790AF

sample2.com?phpsid=31790AF

sample3.com?phpsid=31790AF

where 31790AF, you generate this number, better not use the one php generated

[PFMaBiSmAd]

There is no php.ini setting because the permissions for the session data files are set to the user that php is running under when each session data file is created. This prevents a script one site from being able to read the session data files of a different site.

 

You would need to insure that the user account that the web server/php is running under was either the same for all the sites or you need to set the permissions on the folder so that it is accessible by all user accounts or create a specific folder where you have set the permissions as so that all user accounts can fully access it.

 

The alternative is to change the session save handler from the default file save handler to a custom save handler that uses a database. There are several such php scripts posted about on the Internet.

[papaface]

I'm already using a different session save handler to a directory that I know all accounts can access. The issue is that php is creating the session with read/write only permissions for the user that made it.

connect to 1 database from all domains u have

for example

sample1.com connect to database 123.123.123.123

sample2.com connect to database 123.123.123.123

sample3.com connect to database 123.123.123.123

database 123.123.123.123 has the following table

user_session

phpSID

 

hyperlink

sample1.com?phpsid=31790AF

sample2.com?phpsid=31790AF

sample3.com?phpsid=31790AF

where 31790AF, you generate this number, better not use the one php generated

How can I get each site to use the same PHPSID? How does each site know what SID to use?

[PFMaBiSmAd]

Your session save handler would need to chmod the file with permissions that allow all user accounts to access it.

[papaface]

So,

chmod("/somedir/sessions/".session_id(), 0777);

?

That is an acceptable and proper way to do this?

 

Also (as mentioned earlier), how can I get each site to use the same PHPSID? How does each site know what SID to use?

[greatstar00]

I'm already using a different session save handler to a directory that I know all accounts can access. The issue is that php is creating the session with read/write only permissions for the user that made it.

connect to 1 database from all domains u have

for example

sample1.com connect to database 123.123.123.123

sample2.com connect to database 123.123.123.123

sample3.com connect to database 123.123.123.123

database 123.123.123.123 has the following table

user_session

phpSID

 

hyperlink

sample1.com?phpsid=31790AF

sample2.com?phpsid=31790AF

sample3.com?phpsid=31790AF

where 31790AF, you generate this number, better not use the one php generated

How can I get each site to use the same PHPSID? How does each site know what SID to use?

u can use a random generator

rand a number from 1 to 1000000, concatenate it with the micro time in unix stamp

for example, it is now 1234567890, today, NOV 20, 20:00PM, just say as example, not real

the  microtime is

1234567890.123  meaning NOV 20, 20:00:00PM at micro second 123

then multiply this by 1k, so u get 1234567890123

and if you generated this number, 12389781

so, concatenate them

123456789012312389781  << this is your new phpSID

[PFMaBiSmAd]

Also (as mentioned earlier), how can I get each site to use the same PHPSID? How does each site know what SID to use?

 

You must pass it on the end of the URL.

 

I've got to ask why you want to share sessions between different domains, because browsers don't pass the session id using a cookie between domains so you must do this yourself in any link that your form that goes to one of your other domains.

[papaface]

Basically, when a user logins in on domain1.com I want them to be logged in on domain2.com and vice versa.

 

Are there any pre-made scripts to do this kind of thing? The whole process of setting cookies etc is very complex.

 

 

[papaface]

Anyone ?

[PFMaBiSmAd]

Cookies (regular and session id) are domain specific for security reasons. There's no pre-made script to do what you are asking because you must bypass security that is buit-in in the browser and on the server.

 

To get this to work, you must both get the browser to pass a pieces of unique identifying information back and forth between domains (the only way to accomplish this is to pass it as part of the URL) and make each domain have access to the matching information on the server(s) (you must either make a shared file location that is accessible to both domains or use a database that is accessible to both domains.)