schilly Posted October 18, 2010 Share Posted October 18, 2010 I'm looking for a secure way to share session data across two different domains (not subdomains) on the same server. I've looked at passing the session id through a GET var to the other domain. It works but it looks to open the possibility of session hijacking and I don't really like having the session id in the URL string. Any way to make this secure? The other option I'm looking at is using cURL to load a script on the other domain that sets a cookie with the session id. When the person loads the other domain, check for the cookie, get the session id, connect to session then delete the cookie. Can anyone see anything wrong with this? Thanks. Quote Link to comment Share on other sites More sharing options...
schilly Posted October 18, 2010 Author Share Posted October 18, 2010 Anyone? Quote Link to comment Share on other sites More sharing options...
schilly Posted October 19, 2010 Author Share Posted October 19, 2010 last bump. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted October 19, 2010 Share Posted October 19, 2010 i did this once years ago, where a customer would load a cart on one website and pay on another. both sites were on the same server, so i used the local database to store the customer info and accessed that info from both sites. i used some kind of unique key in the url to identify the shopping cart record on the "pay" site. If that record wasn't there (or the key was invalid), the user was redirected back to the shopping website. this was a low-risk situation: simply redirecting a user to another website to pay for items placed into a cart on another website. who cares if someone "hacks" the unique key and pays for something they didn't put in their own cart. but this was the only approach i could think of at that time. i'm not sure if it's the best and i would probably dig deeper if i was going to do something similar again. Quote Link to comment Share on other sites More sharing options...
schilly Posted October 19, 2010 Author Share Posted October 19, 2010 ya that would work for payment as no one would want to pay for someone else. this system gives access to specific resources which need to be locked to the person's account. I'm going to try out the cookie option and see how it goes. thanks for the reply. Quote Link to comment Share on other sites More sharing options...
schilly Posted October 19, 2010 Author Share Posted October 19, 2010 Ah crap. cURL won't work as the server will load the external script on the other domain and not the user's browser so the cookie won't set. Might have to switch to AJAX. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.