[RESOLVED] Cross Site logins

nextgengames

Hey,

Im currently trying to fiqure out how to do 1 login across several sites i run. I can do the actual login and db checks what im stuck on is how to create a cookie which is detected across all sites if user logs in on Site A then goes to Site B there still logged in.

Any help would be appreciated!

bogu

Lets look over the setcookie function in php:
setcookie ( string name [, string value [, int expire [, string path [, string domain [, int secure]]]]] ), the third param is the path, lets look over the path param from the php manual:

path - The path on the server in which the cookie will be available on. If set to '/', the cookie will be available within the entire domain. If set to '/foo/', the cookie will only be available within the /foo/ directory and all sub-directories such as /foo/bar/ of domain. The default value is the current directory that the cookie is being set in.

Lets see the forth param:

domain - The domain that the cookie is available. To make the cookie available on all subdomains of example.com then you'd set it to '.example.com'. The . is not required but makes it compatible with more browsers. Setting it to www.example.com will make the cookie only available in the www subdomain.

So I don't think u can set a cookie for more that one domain ...

Drakla

The first idea that comes to mind is using 3rd party cookies set with 1x1 pixel images, which are of course scripts in reality. You could pass validation data via url parameters in the IMG tag. But already I hear the security guy inside me tutting.

Code for the image can be as simple as this

<?php
	/* possible to send an image AND a cookie at the same time?
	 *
	 *	Oh yes it is!
	 *
	 *	3rd party cookies achieved by including an image or sometimes script in somebody elses page
	 *
	 *	You CAN'T set a cookie in a script out of your domain, so you call an image in theirs
	 */


$domain = '.your.domain.co.uk';	// remember initial dot to put away www. woes
$path = '/';

//header('P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"');
	// may have to have a compact policy to set a 3rd party
	// either the above or the below - what the abbrevs mean?  I don't know
//header('P3P: CP="IDC DSP COR CURa ADMa OUR IND PHY ONL COM STA"');


setcookie('mysite', $_SERVER['HTTP_HOST'], time() + 3600 * 25, $path, $domain);
setcookie('time', date('d-m-y  h:i:s'), time() + 3600 * 25, $path, $domain);
setcookie('referrer', $_SERVER['HTTP_REFERER'], time() + 3600 * 25, $path, $domain);

header('content-type: image/gif');

	// pass out a pic
$fp = fopen('charmap.gif', 'r');
fpassthru($fp);
fclose($fp);

exit;
?>

nextgengames

So theres no way to read cookies from another domain, or could I just set cookies for all network domains during login ?

sneakyimp

what they are saying is that siteA can't securely set a cookie for siteB so setting cookies for all from one site is out of the question. however, as drakla suggested, you can put in an <img> tag that uses a php script as its source. that php script sets a cookie and outputs a transparent gif.

I'm not sure how it would, but you might be able to have visibility to the cookie from all of your sites by simply adding the <img> tag pointing to your script.

Another possibility is that if all of your sites use the same database to check for login/logout, then you can simply pass a session id from one site to the other. Passing a session id in a URL is not a particularly good idea becaue people tend to bookmark them, email them to each other, or copy and paste them into a chat window. Hijacking someone's session id might give you visibility to their sensitive account data.

PABobo

for subdomain cookies just enter the . before the domain name
setcookie("memberu", $row_get_login['client_username'], time()+606024*30, "/", ".lookatthedotontheleft.com", 0);

nextgengames

Its not a subdomain cookie im looking at. Thanks for the help on this one guys.