Cross domain PHP Sessions

后端 未结 4 2135
感动是毒
感动是毒 2020-11-27 22:11

I am building a site which allows a user to point a CNAME record at my site to run their \"profiles\", this allows your OWN domain name to load your profile on my site.

相关标签:
4条回答
  • 2020-11-27 22:20

    Nothing more simple as:

    1) create domain1.com/client.html with source:

    <script type="text/javascript" src="domain2.com/server_set_cookie.php"></script> 2) create domain2.com/server_set_cookie.php with php source:

    header("p3p: CP=ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV");
    
    setcookie($_REQUEST['cookie_name'], 'cookie_name', time()+3600);
    

    http://smartcoding.wordpress.com/2009/07/12/setcookie-cross-domain-cookie-write/

    0 讨论(0)
  • 2020-11-27 22:28

    not sure I understand your problem. Is it something like another domain calling something like www.userprofiles.com/profile.php?userid=1 and displaying the results? In this case profile.php will generate a new session id whenever it gets called. You need to set different ids for every external domain using your site and change profile.php to something like:

    if( isset($_REQUEST['sid']) ) session_id($_REQUEST['sid']);

    session_start();

    and call the script like this www.userprofiles.com/profile.php?userid=1&sid=somesessionid1234

    0 讨论(0)
  • 2020-11-27 22:30

    You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd I haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.

    Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.

    So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.

    In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.

    If the HTTP Host is not the main domain (example.com):

    if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
    // redirect to your main site
    header('Location: http://example.com');
    }
    

    On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.

    header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));
    

    The final bit is to redirect back to the page you were on now that you have the same session going.

    setCookie(...); // sessid in $_GET['sessid']
    header('Location: http://domain.com/'); 
    

    Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.

    Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.

    Edit: don't forget to set the cookie when you get back to external domain.

    Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.

    0 讨论(0)
  • 2020-11-27 22:32

    The only way is to add session id-s to the url-s that go from one domain to another (or add that session id to the iframe src url), and then code your session storage backend to handle this.

    Of course, you need to consider all the security issues that this approach brings along.

    0 讨论(0)
提交回复
热议问题