Using same session variable on multiple domains?

Adamthenewbie

I have two websites that have different domains but I want to use the SAME log in session (so if you log into one and go to the other site you'll still be logged in with the same session). What's the best way to handle this? I'd rather not pass a query string when the user switches sites if possible. Both websites are on the same server and can connect to each others databases already just not sure about how to transfer this session. If anyone has any ideas let me know!

dalecosp

Ok ... cookies? You're going to need transference somehow. Why are you afraid of passing the session id in the QS? Could you fake it? Encrypt it? Change it temporarily?

Another alternative would be keeping your sessions in the database, but AFAIK the browser still has to wear a name tag ... I'm not the most experienced in the bunch here (hello Weedpacket, bradgrafelman, and a host of others), but I'm not seeing much way around this.

The only other thing I can think of is some sort of AJAX, SOAP, or XML/JSON service that kicks off in the event of a "site switch", but I've nowhere near enough details to tell you exactly how that might be accomplished.

m_tt

If you don't want to pass anything in the URL I think your only hope is to use the IP address. Maybe manage sessions via database then look up based on IP, then perhaps validate with some sort of salt.

bradgrafelman

m@tt;11002175 wrote:
your only hope is to use the IP address

Definitely NOT. Public IP addresses should never be used to identify a user's requests... there's no guarantee that a user's IP won't change from one request to the next or that hundreds or even thousands of users aren't sharing a single public IP address. (You could even have a combination of the two - many users sharing a small number of IP addresses via a load balancer that directs outgoing requests however it sees fit.)

@: I would also echo dalecosp's question above... what's wrong with using the query string? Note that you could embed some element (e.g. a hidden <img>) in the HTML document on Site1 that points to a PHP script on Site2; that script would accept a SID (for example) via the query string and use it to call session_start(). The result would be that a cookie would be set by the script on Site2 (for Site2, of course) using the same session ID as what was used on Site1.

m_tt

bradgrafelman;11002176 wrote:
Definitely NOT. Public IP addresses should never be used to identify a user's requests... there's no guarantee that a user's IP won't change from one request to the next or that hundreds or even thousands of users aren't sharing a single public IP address.

Well I did say IF he doesn't want to pass anything in the URL 😉