allow sessions to keep alive on multi domain???

niroshan

Hi all,

Does anybody know how to allow sessions to stay alive in multi domains? I will explain you my scenario,

Assume I have a domain called “test.com” where I run my admin application. From the admin application I have a separate link that will link to a separate domain called “websiteTest.com” where I display the website. (Website contents will be added through the admin application so as soon as user did some changes on the admin panel he can view the changes immediately by clicking that link.). Web site also has some restricted areas where only logged in users can view. Same logins will be used to log into website as well as admin panel. So if the user is viewing the website through admin panel link he/she doesn’t need to login through website again to access restricted areas.

The important fact is that both the domains are in the same server and basically “websiteTest.com” domain is a park domain of “test.com” so all the contents are actually coming from test.com only difference is the domain.

I have done some research and most of people suggest me to add session details in the database, but this is not quite the answer because if we are storing the session details in a database we must store the relevant session ID as well. So when ever a user accesses a page I can get his current session ID and do a query in the database and return his login status. That’s what the bottle neck of this method. As soon as I go to a separate domain PHP generate a new session id so even though I query the database it always return not logged in status, so as a solution for this bottle neck someone advice me to pass the session ID as a GET variable. But that I don’t want to do since the security reasons.

Hope this is clear enough for you guys. Anybody have any idea how to accomplish this? Or this is the dead end for my problem?

Really appreciate all your comments.

Thanks in advance.

Regards,
niroshan

Piranha

Let see if I have understood you correctly.

You want the same session data in two domains. But you don't want to pass any information through the browser to make it possible. If that is what you want then it is impossible. You can't both keep the cake and eat it. Sessions are linked to the domain, so it is not possible to do this. You can't do it with cookies either.

Just one question before I start with a suggestion: Do you use an encrypted connection when logging in, like https? If you don't then it won't be much worse to allow this since it is easy to listening to the traffic anyway.

But what about this way, you save the session in a database in the admin. You also store a username, a random value and the time it was created. The random value changes every time you load a page, so does of course the time. Then you can call the new page with "www.newpage.com/page.php?un=$username&random=$randvalue". When someone uses those variables you check it against the database, and if the username and random value matches they get access to the session data. With the time you can set that they have to use that link in x seconds after the last page load.

Note that this suggestion is not safe, it would be very easy for someone listening to the traffic to use that information. Because of that it should never be possible to go from the webpage to the admin panel, only the other way. You can of course store more information in the database (IP as an example), but it won't make it bulletproof.

niroshan

Hi Piranha,

First of all thank you very much for your reply. As for your question no I don’t have a https connection its just http.
Well I will look into the suggestion that you have point out here. But I’m afraid I want my system to be more secured otherwise no point of having an authentication system.😃

Thanks a lot for your help I really appreciate it.

Piranha

Well, no point in having a super-secure programmed login if you don't have encrypted connection 😃