How do I use cookies across two different domains?

前端 未结 5 657
既然无缘
既然无缘 2020-11-27 05:21

I need to share SSO information between two different domains with a cookie, can this be done in PHP and how?

相关标签:
5条回答
  • 2020-11-27 05:44

    You don't, cookies are bound to a domain. There are restrictions on this and it's referred to as cross site scripting.

    Now, for some help to your problem. What you can do is create a script that helps bridge them.

    You can globally rewrite all links to your second site are going to need cookie information from the first site.

    You would save all the cookies from site-a to a database that they both can read, then programatically appending the cookie-id querystring on all of the links to site-b, then you lookup that cookie id and re-set the cookies under the new domain.

    There is a really good PHP database abstraction library (PHP ADODB) and it has a session sharing plugin that makes all of this a whole lot easier.

    0 讨论(0)
  • 2020-11-27 05:49

    On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.

    It's a little complex to carry out correctly, but if you think it through it'll work out very well.

    Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.

    -Adam

    0 讨论(0)
  • 2020-11-27 05:55

    If you have two sites using the same domain and would like to share cookies between them, set something like this in your settings.php file for each domain:

    ini_set('session.cookie_domain', '.EXAMPLE.com');
    

    Be sure you include the leading '.' before the domain name, or it won't work.

    This allows users to maintain login status between any sites configured for domain-wide cookies.

    This can also have negative side effects, so don't do this unless you're familiar with all the cookies involved for the sites you want to share cookies between.

    0 讨论(0)
  • 2020-11-27 06:05

    Well, if your domains are just different subdomains you could do it in an easy way by creating a .yourdomain.com cookie. Then the cookie is passed along with all the requests across all the subdomains.

    It's not that simple if you want to share cookies between different domains as browsers treat it as a security risk.

    What is the exact example?

    In case of some software like Google Analytics and other tracking images, etc. you might be forced to use P3P headers to let browser know you don't care about security when sending your cookies. Then a browser requesting image gets a cookie as part of the response and also inspects P3P. If all is OK it saves the cookie on the hard drive and the next time you request an image that sits on your website (but is part of other domains page) the browser will send the cookie along. But I guess this does not help ;-)

    I have never used a cookie value across domains in a direct meaning of it.

    0 讨论(0)
  • 2020-11-27 06:06

    I'm not sure about the security implications, but there is an Apache setting that allows you to change the domain of a cookie.

    # in httpd.conf (or equivalent)
    php_value session.cookie_domain mydomain.com
    

    I have successfuly employed this method for subdomains, but have never attempted for different domains.

    There is also a method to set the variables direction in PHP described at http://us.php.net/manual/en/function.session-set-cookie-params.php. The documentation makes no reference to the ability or inability to set cookies on a different domain.

    There is a different Stack Overflow thread on this same topic, but I don't think it was ever sufficiently answered.

    0 讨论(0)
提交回复
热议问题