Cross Domain Sessions

  • Poly
  • Guru
  • Guru
  • User avatar
  • Posts: 1091
  • Loc: Same place you left me.

Post 3+ Months Ago

Hi all,

So I've run into an issue with the new platform were developing for our products. We would like for a user to remain logged in across all of our product sites(multiple domains). I've been reading up on a couple options, and one sounds like it may be a good solution for us, but I wanted to see if anybody else has ideas or if this has security issues:

User visits domain1.com. User clicks a link on domain1.com which takes them to a members only page on domain2.com. We want the user to remain logged in.

The solution we've been looking at:
domain1.com and domain2.com load a script from domain3.com which stores the sessions. That way the user is always logged in, as the session is pulled from a third site. Are there any security issues with this?

Code: [ Select ]
<script type="text/javascript" src="http://domain3.com/session.php"></script>


Are there any other options to this that do not require the session to be sent as part of the URL, or being done through post? The users may wish to browse member only pages on multiple sites at once, so passing the session between the sites using _POST or _GET would prevent this.

Thanks guys.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

Not sure about the security of this what about something like a slingshot.

1) user logged into domain 1
2) A hash made up of mix of info to compare (user id + email) sent to domain 2, and the referring domain maybe in a hash or id form through POST only
3) Domain 2 curls back to referring domain and checks the user info and the last time the accessed I'd say within the last minute. if the info checkout and the last access was in less than a minute log them in to domain 2 by using the hash of the user info to setup the session on domain 2

Your sessions wouldn't be passed through. It would act more as an auto login.
  • Poly
  • Guru
  • Guru
  • User avatar
  • Posts: 1091
  • Loc: Same place you left me.

Post 3+ Months Ago

I had asked a similar setup on Stackoverflow and it was pretty much shot down by all responders as being vulnerable to several security issues. The system I proposed was very similar, but stored the information in a cookie, as we need to be able to pass the information across domains without using post. The issue with this is somebody could use a bunch of different security issues to duplicate that users cookie and steal their session. The post method would be secure, but would defeat the purpose of doing it cross domain.

I'm at the point where I'm thinking my best option is to retool our setup, and have the domains point to a directory on our main site:

Domain1.com points to:
us.domain.com/product

Domain2.com points to:
us.domain.com/product2

Would be significantly easier, and we wouldn't have to worry about the security of the sessions then.
  • ScottG
  • Proficient
  • Proficient
  • ScottG
  • Posts: 477

Post 3+ Months Ago

That is true that is why i added the part of the last db access time, something that constantly changes. However I did have a thought as I was sleeping last night, and that is log the user into all domains at the time they login to one of the domains by the use of php curl and post.

PHP Code: [ Select ]
//extract data from the post
extract($_POST);
 
//set POST variables
$url = 'http://domain.com/get-post.php';
$fields = array(
                  'lname' => urlencode($last_name),
                  'fname' => urlencode($first_name),
                  'title' => urlencode($title),
                  'company' => urlencode($institution),
                  'age' => urlencode($age),
                  'email' => urlencode($email),
                  'phone' => urlencode($phone)
            );
 
//url-ify the data for the POST
foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
rtrim($fields_string, '&');
 
//open connection
$ch = curl_init();
 
//set the url, number of POST vars, POST data
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch,CURLOPT_POST, count($fields));
curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
 
//execute post
$result = curl_exec($ch);
 
//close connection
curl_close($ch);
 
  1. //extract data from the post
  2. extract($_POST);
  3.  
  4. //set POST variables
  5. $url = 'http://domain.com/get-post.php';
  6. $fields = array(
  7.                   'lname' => urlencode($last_name),
  8.                   'fname' => urlencode($first_name),
  9.                   'title' => urlencode($title),
  10.                   'company' => urlencode($institution),
  11.                   'age' => urlencode($age),
  12.                   'email' => urlencode($email),
  13.                   'phone' => urlencode($phone)
  14.             );
  15.  
  16. //url-ify the data for the POST
  17. foreach($fields as $key=>$value) { $fields_string .= $key.'='.$value.'&'; }
  18. rtrim($fields_string, '&');
  19.  
  20. //open connection
  21. $ch = curl_init();
  22.  
  23. //set the url, number of POST vars, POST data
  24. curl_setopt($ch,CURLOPT_URL, $url);
  25. curl_setopt($ch,CURLOPT_POST, count($fields));
  26. curl_setopt($ch,CURLOPT_POSTFIELDS, $fields_string);
  27.  
  28. //execute post
  29. $result = curl_exec($ch);
  30.  
  31. //close connection
  32. curl_close($ch);
  33.  
  • Poly
  • Guru
  • Guru
  • User avatar
  • Posts: 1091
  • Loc: Same place you left me.

Post 3+ Months Ago

This is a good possibility Scott. I'm going to spend some time looking into this today. Not something that had occurred to me.

Post Information

  • Total Posts in this topic: 5 posts
  • Users browsing this forum: No registered users and 166 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.