Establishing PHP Session From a Different Host

Hello,

How does one continue a php session on a different domain (domain B)
than the domain (domain A) that started the session?

That is, I want to hand-off a session to another domain, but I do not
see how to do this as one cannot set a cookie for another domain (for
valid reasons).

I was thinking I could pass a one-time-access token in the url of domain
B, but i'm dissatisfied with this solution as it gets unwieldy if there
are a high volume of requests (such as a document server).

Otherwise, I would think the user would have to re-identify (enter
username/password) themselves on domain B.

I am wondering if someone can enlighten me on how to have seemless
session integration across multiple domains.

I realize that if the domain has a different php engine, then i'd have
to manage the session data outside of php's internal session data store
(ie...with something like MySQL). Also, the domains are not subdomains
of each other.

1) An example where one might want to do this is to establish a
document/asset server on domain B to deliver content of different access
levels to domain A's page (and also possibly domain C, D, E, etc...).
Maybe I could do some server to server work passing the contents of a
readfile(), where domain B always trusts requests from domain A.

2) But what about in situations where I literally want to migrate the
user's session from one domain and hand it off to another domain, where
both domains have access to the same data tables. How does one do this?

Maybe I need to do some reading on load balancing to help me understand
how state is maintained across several servers, but i was hoping this
community might be able to guide/point me in the proper direction.

Thanks,
dK
`

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Establishing PHP Session From a Different Host

On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo wrote:
> Hello,
>
> How does one continue a php session on a different domain (domain B)
> than the domain (domain A) that started the session?

Simple answer: you don't.

Extended answer: you can, but only if the domains reside on the
same physical host, or in a setup where one domain can read the
physical files of another across hosts. When you store information in
a $_SESSION array, it stores one key (the PHPSESSID value) in a cookie
on the client side, and then stores what is supposed to be a
more-secure version of the cookie - containing all of the stored data
- as a flat file on the server side (usually in /tmp or ~/tmp). As
such, you shouldn't be able to read them from a different domain....
unless your host is insecure, in which you won't have to worry only
about this, but also full cross-site-scripting vulnerabilities. Other
options would be "parking" or doing an "addon" domain, or something of
the like. However, this all gets more into operating system and
network security, and HTTP server configurations.

Combined answer: you can, but you should really re-evaluate your
code and current capabilities before trying to do so. You may even
want to consider setting up a trust relationship with a centralized
database such as MySQL to allow the second domain to READ ONLY from
the first. Check in the database on the first domain to see if a user
is logged in, if they were active within the last x
(seconds|minutes|hours), and from what IP they were logged in. If
things seem to match up, write the $_SESSION variables for login
without prompting the user to re-authenticate manually.

--

daniel.brown@parasane.net || danbrown@php.net
http://www.parasane.net/ || http://www.pilotpig.net/
Check out our great hosting and dedicated server deals at
http://twitter.com/pilotpig

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Establishing PHP Session From a Different Host

Daniel Brown wrote:
> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo wrote:
>> Hello,
>>
>> How does one continue a php session on a different domain (domain B)
>> than the domain (domain A) that started the session?
>
> Simple answer: you don't.
>
> Extended answer: you can, but only if the domains reside on the
> same physical host, or in a setup where one domain can read the
> physical files of another across hosts. When you store information in
> a $_SESSION array, it stores one key (the PHPSESSID value) in a cookie
> on the client side, and then stores what is supposed to be a
> more-secure version of the cookie - containing all of the stored data
> - as a flat file on the server side (usually in /tmp or ~/tmp). As
> such, you shouldn't be able to read them from a different domain....
> unless your host is insecure, in which you won't have to worry only
> about this, but also full cross-site-scripting vulnerabilities. Other
> options would be "parking" or doing an "addon" domain, or something of
> the like. However, this all gets more into operating system and
> network security, and HTTP server configurations.
>
> Combined answer: you can, but you should really re-evaluate your
> code and current capabilities before trying to do so. You may even
> want to consider setting up a trust relationship with a centralized
> database such as MySQL to allow the second domain to READ ONLY from
> the first. Check in the database on the first domain to see if a user
> is logged in, if they were active within the last x
> (seconds|minutes|hours), and from what IP they were logged in. If
> things seem to match up, write the $_SESSION variables for login
> without prompting the user to re-authenticate manually.
>

Thanks for the responses.

Re: Simple answer
I thought of another example. My bank's website. I sign-in and
authenticate with "bank.com". Then, i click credit card from bank.com
and i'm redirected to "creditcard.com" without me having to reinput
user/pass. They clearly do it (granted they have a lot more resources
then I do, but i'd still like to know how they are doing it).

Re: extended answer
Not that i'd be able to do this, but what type of software is required
to set up two remote physical hosts that can share files? Can this be
accomplished through apache or perhaps plugging in some network app into
apache?

I don't fully understand how 'parking/addon' domains would accomplish
the goal. Would you explain this option a bit more thoroughly please?

Re: combined answer
The trust relationship idea is what i have to work with. However, i am
not using IP addresses for authentication as I was told this could
alienate legitimate users and that IPs may be easily masked. Thus, i
was thinking about using a one-time-access token passed in the url
(essentially the same idea as the password verification links sent to
email in-boxes). Once the user enters domain B with the one time access
token, compare this token with last activity time via MySQL. Then if
all looks okay to set a cookie with the same sesion ID as was
established on domain A. As request time on domain A and subsequent
request time on domain B are very close together I could require that
the IPs stay consistent during that short-lived time frame.
Does the above all seem reasonable (though headache prone)? I'm curious
to hear your two cents.

I am also curious to know how the big boys do this type of thing. Do
you have any links, software applications names, or other types of
keywords i could use to research about this type of thing?

Thanks for your time,
dK
`

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

RE: Establishing PHP Session From a Different Host

From: Daniel Kolbo
> Daniel Brown wrote:
>> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo wrote:
>>> Hello,
>>>
>>> How does one continue a php session on a different domain (domain B)
>>> than the domain (domain A) that started the session?
>>=20
>> Simple answer: you don't.
>>=20
>=20
> Thanks for the responses.
>=20
> Re: Simple answer
> I thought of another example. My bank's website. I sign-in and
> authenticate with "bank.com". Then, i click credit card from bank.com
> and i'm redirected to "creditcard.com" without me having to reinput
> user/pass. They clearly do it (granted they have a lot more resources
> then I do, but i'd still like to know how they are doing it).

My bank also does this, but it only works if Javascript is enabled when
I first log in. Otherwise the initial login fails and I do it again on
the second site. I haven't actually looked at the page sources to see
what they do. But I have NoScript configured to block all JS by default
so the initial login attempt always fails. It also reports blocked XSS
attempts on both pages. So whatever they are doing does not appear to be
very safe.

Bob McConnell

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Establishing PHP Session From a Different Host

On Monday 13 July 2009 14:15:18 Bob McConnell wrote:
> From: Daniel Kolbo
>
> > Daniel Brown wrote:
> >> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo wrote:
> >>> Hello,
> >>>
> >>> How does one continue a php session on a different domain (domain B)
> >>> than the domain (domain A) that started the session?
> >>
> >> Simple answer: you don't.
> >
> > Thanks for the responses.
> >
> > Re: Simple answer
> > I thought of another example. My bank's website. I sign-in and
> > authenticate with "bank.com". Then, i click credit card from bank.com
> > and i'm redirected to "creditcard.com" without me having to reinput
> > user/pass. They clearly do it (granted they have a lot more resources
> > then I do, but i'd still like to know how they are doing it).
>
> My bank also does this, but it only works if Javascript is enabled when
> I first log in. Otherwise the initial login fails and I do it again on
> the second site. I haven't actually looked at the page sources to see
> what they do. But I have NoScript configured to block all JS by default
> so the initial login attempt always fails. It also reports blocked XSS
> attempts on both pages. So whatever they are doing does not appear to be
> very safe.
>
> Bob McConnell

Just a thought, but as the session ID normally gets automatically added to the
header request by a browser, could you not add it into the form itself as you
move from one domain to another?

Afaik, PHP tends to prefer the PHPSESSID as an element in the $_COOKIE array
(or the $_REQUEST array which is made up from the cookie as well) so you
might be able to do some clever playing around to achieve the effect?

--
Thanks,
Ash
http://www.ashleysheridan.co.uk

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Establishing PHP Session From a Different Host

On Mon, Jul 13, 2009 at 9:15 AM, Bob McConnell wrote:
> From: Daniel Kolbo
>> Daniel Brown wrote:
>>> On Sun, Jul 12, 2009 at 12:37, Daniel Kolbo wrote:
>>>> Hello,
>>>>
>>>> How does one continue a php session on a different domain (domain B)
>>>> than the domain (domain A) that started the session?
>>>
>>>     Simple answer: you don't.
>>>
>>
>> Thanks for the responses.
>>
>> Re: Simple answer
>> I thought of another example.  My bank's website.  I sign-in a=
nd
>> authenticate with "bank.com".  Then, i click credit card from bank.=
com
>> and i'm redirected to "creditcard.com" without me having to reinput
>> user/pass.  They clearly do it (granted they have a lot more resour=
ces
>> then I do, but i'd still like to know how they are doing it).
>
> My bank also does this, but it only works if Javascript is enabled when
> I first log in. Otherwise the initial login fails and I do it again on
> the second site. I haven't actually looked at the page sources to see
> what they do. But I have NoScript configured to block all JS by default
> so the initial login attempt always fails. It also reports blocked XSS
> attempts on both pages. So whatever they are doing does not appear to be
> very safe.
>
> Bob McConnell
>

I have seen cases where site A to renders a form whose action points
to site B with credentials for site B in hidden form elements. Since
there are no visible UI elements, it requires Javascript to trigger
the form to submit itself. If the credentials are simply the username
and password, this seems pretty insecure to me.

I'm not sure how much more secure you can make it if you use a
one-time token (possibly one that encodes the client's IP address with
some other server-side information into a hash?). For this to work,
the two systems would have to be able to communicate either through
shared data storage or some sort of behind-the-scenes web service.

It can also fail in cases where the form processor on site B depends
on some previous state being established with the browser (for
example, a particular cookie that must already be set, or only
accepting posts with a "valid" HTTP_REFERER value) before posting the
credentials.

Andrew

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php