How To Share A Logged In Session Between To Web App?

[silvercover]

I have two seperate web app both written in php. one is a simple online store that needs users to be logged in and place their orders and the other one is a ticketing system that needs users to be logged in too.

 

So how can I share a logged in session between these two apps to prevent users from multiple sign in process? what is the best way to do this?

 

Thanks.

Edited October 19, 2012 by silvercover

[JohnTipperton]

use the same $SESSION for web app and ticketing system.. since you will not destroy the session until the user Logs Out.

[ManiacDan]

If the web apps are on different URLs, John's solution won't work.

 

You can use some sort of oauth or saml code to allow your sites to share login information. It's difficult to allow two different domains to share a login.

[shlumph]

Are they on the same server? If they are, and they are under different subdomains or domains, you'll have to set the session cookie domain to be the same in both projects.

 

If they are on different servers with different IP addresses, you'll probably have to create some sort of web service to interface the two projects.

[TOA]

It's difficult to allow two different domains to share a login.

 

Agreed.

 

I did something similar at work; we merged several other programs (provided by other companies) into one and needed SSO capabilities. We did it using $_GET vars and a whole lot of validating. Seems to work ok.

Edited October 19, 2012 by TOA

[ManiacDan]

Are they on the same server? If they are, and they are under different subdomains or domains, you'll have to set the session cookie domain to be the same in both projects.

If you set the session cookie domain to be different than the domain of the site, it won't work.

 

We did it using $_GET vars and a whole lot of validating. Seems to work ok.

Dangerous for a public web app, GET vars can be intercepted, bookmarked, and accidentally emailed/IMed.

[TOA]

Dangerous for a public web app, GET vars can be intercepted, bookmarked, and accidentally emailed/IMed.

 

Only way the other company would do it, so out of my control

 

I tried to convinve them to implement Oauth but no-go. Lazy dev's I think. We're actually done with them Jan 1 so we won't have that issue anymore. It worked for a year or so though..

Edited October 19, 2012 by TOA

[JohnTipperton]

If the web apps are on different URLs, John's solution won't work.

 

You can use some sort of oauth or saml code to allow your sites to share login information. It's difficult to allow two different domains to share a login.

 

yes but if he is using in a same domain it will work in a 2 different domains it will be hard though.

 

what about create a 2 different session name then store the value in those 2 session so if the user access the other site it will automatically login,

Edited October 19, 2012 by JohnTipperton

[ManiacDan]

yes but if he is using in a same domain it will work in a 2 different domains it will be hard though.

If it's two pages on the same website, then yes it will work. Two separate sites (domains) will never work

 

 

what about create a 2 different session name then store the value in those 2 session so if the user access the other site it will automatically login,

What?

[JohnTipperton]

If it's two pages on the same website, then yes it will work. Two separate sites (domains) will never work

 

 

What?

 

for example

 

www.mysite1.com the session name is $_SESSION['site1']

www.mysite2.com the session name is $_SESSION['site2']

 

if you login the mysite1 save the $_SESSION['site1'] and $_SESSION['site2'] same as the mysite2.

 

i mean when you login the site you are saving the 2 different session variable.

Edited October 20, 2012 by JohnTipperton

[ManiacDan]

That's not how sessions work, at all. $_SESSION is completely different between two sites. They are not shared.