Cross domain PHP Sessions

by

You can’t set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd
I haven’t done this myself, so I don’t know how much of the browsers implement it or if it even works that way.

Virb looks like it’s just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.

So what’s happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.

In the case of virb, which won’t work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.

If the HTTP Host is not the main domain (example.com):

if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}

On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location. 

header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));

The final bit is to redirect back to the page you were on now that you have the same session going.

setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/');

Note, in actuality you can send the page you’re currently on back to example.com in the first step, so you can redirect back to it later.

Since you’re just using headers (you don’t need to output content) and in most cases HTTP/1.1 so you’ll be on the same TCP socket I think it’s pretty efficient and will be more supported then the JavaScript option.

Edit: don’t forget to set the cookie when you get back to external domain.

Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.

More Related Contents:

  1. PHP Sessions across sub domains
  2. Secure and Flexible Cross-Domain Sessions
  3. how can I print multiple services in this way
  4. PHP session variable issue while using iframe
  5. What is the best way to do this site redirection
  6. Undefined index $_POST
  7. PHP Pass variable to next page
  8. Using sessions & session variables in a PHP Login Script
  9. PHP Session data not being saved
  10. Laravel – Session store not set on request
  11. What do I need to store in the php session when user logged in?
  12. Array as session variable
  13. Truly destroying a PHP Session?
  14. PHP session side-effect warning with global variables as a source of data
  15. PHP sessions default timeout [duplicate]
  16. How to kill a/all php sessions?
  17. PHP alternative to session_is_registered
  18. When do I have to declare session_start();?
  19. how to pass value from one php page to another using session
  20. Is it secure to store a password in a session? [duplicate]
  21. Do AJAX requests retain PHP Session info?
  22. Undefined index with PHP sessions
  23. Submit Multiple Forms With One Button
  24. When and where should I use session_start?
  25. How do check if a PHP session is empty? [duplicate]
  26. PHP session seemingly not working
  27. session_start() takes VERY LONG TIME
  28. Setting a cookie in an AJAX request?
  29. destroy session when broswer tab closed
  30. Proper session hijacking prevention in PHP

Leave a Comment