473,703 Members | 2,764 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

maintain a single session across multiple servers

Hello,

I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.

I have one main domain with the user data and several other domains that
need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is
this possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir
Jun 10 '07 #1
13 8666
Samir Chouaieb wrote:
Hello,

I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.

I have one main domain with the user data and several other domains that
need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is
this possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir
No, it's not. Cookies are designed to be domain specific. For security
reasons, the browser won't send a cookie belonging to one domain on to
another domain.

If all of these sites are so closely related, why are they different sites?
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Jun 10 '07 #2
Hi,

thanks first of all for your answer.
No, it's not. Cookies are designed to be domain specific.
For security reasons, the browser won't send a cookie
belonging to one domain on to another domain.
You took only the cookies into consideration as a way to store session-ids.
If all of these sites are so closely related, why are they
different sites?
Take as an example a set of partner online shops that have a central
login mechanism.
If the login pages of the online shops call a dedicated php-page on the
main domain that achieves the login if not done aready and gives the
session-id back to the referer page in the url or as POST variable.

if the different shops have the same php-path for session variables on
the main-domain server, then they will be able to read the content of
the session.

Does this make a sense. Or am I dreaming?
Regards
Samir

Jerry Stuckle wrote:
Samir Chouaieb wrote:
>Hello,

I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.

I have one main domain with the user data and several other domains
that need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is
this possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir

No, it's not. Cookies are designed to be domain specific. For security
reasons, the browser won't send a cookie belonging to one domain on to
another domain.

If all of these sites are so closely related, why are they different sites?

Jun 10 '07 #3
Samir Chouaieb wrote:
Jerry Stuckle wrote:
>Samir Chouaieb wrote:
>>Hello,

I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.

I have one main domain with the user data and several other domains
that need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is
this possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir

No, it's not. Cookies are designed to be domain specific. For
security reasons, the browser won't send a cookie belonging to one
domain on to another domain.

If all of these sites are so closely related, why are they different
sites?

Hi,

thanks first of all for your answer.
No, it's not. Cookies are designed to be domain specific.
For security reasons, the browser won't send a cookie
belonging to one domain on to another domain.

You took only the cookies into consideration as a way to store
session-ids.
>
If all of these sites are so closely related, why are they
different sites?

Take as an example a set of partner online shops that have a central
login mechanism.
If the login pages of the online shops call a dedicated php-page on the
main domain that achieves the login if not done aready and gives the
session-id back to the referer page in the url or as POST variable.

if the different shops have the same php-path for session variables on
the main-domain server, then they will be able to read the content of
the session.

Does this make a sense. Or am I dreaming?
Regards
Samir
(Top posting fixed)

No, I'm not talking about cookies which contain session id's. Any
cookie is domain specific. As will be the sessions, if you're smart.

Anything else like passing info back and forth in $_POST or $_GET
variables can be very easily fudged. And even if they all have the same
path on the server, there is a huge amount which can go wrong, as well
as huge potential security holes. For instance, the refer page can be
easily falsified. It's not hard at all.

I wouldn't even try it across multiple domains like this. And I ask
again - if these are so closely related, why aren't they the same
domain? They should be, IMHO. How many other sites do you see where one
signon covers multiple domains?

And please don't top post.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Jun 10 '07 #4
On Jun 11, 12:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
<snip>
I wouldn't even try it across multiple domains like this. And I ask
again - if these are so closely related, why aren't they the same
domain? They should be, IMHO. How many other sites do you see where one
signon covers multiple domains?
Yahoo! (Flickr), Google (Blogger, Orkut)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jun 10 '07 #5
R. Rajesh Jeba Anbiah wrote:
On Jun 11, 12:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
<snip>
>I wouldn't even try it across multiple domains like this. And I ask
again - if these are so closely related, why aren't they the same
domain? They should be, IMHO. How many other sites do you see where one
signon covers multiple domains?

Yahoo! (Flickr), Google (Blogger, Orkut)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
And specifically which of those domains have one sign-in which then
allows you access to the other domains without having to sign in again?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Jun 10 '07 #6

"Samir Chouaieb" <ch******@nospa m.arcor.dewrote in message
news:46******** *************** @newsspool3.arc or-online.net...
Hello,

I am trying to find a solution to a login mechanism for different domains
on different servers with PHP5.

I have one main domain with the user data and several other domains that
need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is this
possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir

Why not just a central server that handles the the cookies? That way they
are stored w.r.t to the centeral server but the other servers can get the
information(thr ough a request to the centeral server).

e.g., when the user wants to be "remembered " they would be temporarily
redirected to your centeral server where the cookie processing will take
place and it will probably need to contain more information such as which
server the request came from(or since you don't seem to care it would just
save it as normal).

Then any time cookie retrival needs to happen the opposite thing will
happen.

I think the only issue here is if multiple servers are serving to the same
users then there would need some way to synchronize but I thnk this isn't
that big of a problem.

If you go the central route then you could keep everything on that central
server and really just dish out stuff over the different domains. You just
need to write an interface for what you want.

Jon
Jun 10 '07 #7
Jon Slaughter wrote:
"Samir Chouaieb" <ch******@nospa m.arcor.dewrote in message
news:46******** *************** @newsspool3.arc or-online.net...
>Hello,

I am trying to find a solution to a login mechanism for different domains
on different servers with PHP5.

I have one main domain with the user data and several other domains that
need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is this
possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir


Why not just a central server that handles the the cookies? That way they
are stored w.r.t to the centeral server but the other servers can get the
information(thr ough a request to the centeral server).

e.g., when the user wants to be "remembered " they would be temporarily
redirected to your centeral server where the cookie processing will take
place and it will probably need to contain more information such as which
server the request came from(or since you don't seem to care it would just
save it as normal).

Then any time cookie retrival needs to happen the opposite thing will
happen.

I think the only issue here is if multiple servers are serving to the same
users then there would need some way to synchronize but I thnk this isn't
that big of a problem.

If you go the central route then you could keep everything on that central
server and really just dish out stuff over the different domains. You just
need to write an interface for what you want.

Jon

Jon,

The problem here is the remote servers will have no idea what the
current status is from the central server - they'll have no way to
communicate anything, even the session id.

If everything requiring a single signon were handled through the central
server, this would work. But it would require using frames and
basically the main server would be doing everything requiring signons.
So why even have the other servers/domains?

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===
Jun 11 '07 #8

"Jerry Stuckle" <js*******@attg lobal.netwrote in message
news:Vp******** *************** *******@comcast .com...
Jon Slaughter wrote:
>"Samir Chouaieb" <ch******@nospa m.arcor.dewrote in message
news:46******* *************** *@newsspool3.ar cor-online.net...
>>Hello,

I am trying to find a solution to a login mechanism for different
domains on different servers with PHP5.

I have one main domain with the user data and several other domains that
need a login to show data.

I want the user to login only once when he visits any of my domains.

The first idea is had is to use the same session for all domains. Is
this possible?

Any help or hint is appreciated.

Thanks in advance

Best regards
Samir


Why not just a central server that handles the the cookies? That way
they are stored w.r.t to the centeral server but the other servers can
get the information(thr ough a request to the centeral server).

e.g., when the user wants to be "remembered " they would be temporarily
redirected to your centeral server where the cookie processing will take
place and it will probably need to contain more information such as which
server the request came from(or since you don't seem to care it would
just save it as normal).

Then any time cookie retrival needs to happen the opposite thing will
happen.

I think the only issue here is if multiple servers are serving to the
same users then there would need some way to synchronize but I thnk this
isn't that big of a problem.

If you go the central route then you could keep everything on that
central server and really just dish out stuff over the different domains.
You just need to write an interface for what you want.

Jon

Jon,

The problem here is the remote servers will have no idea what the current
status is from the central server - they'll have no way to communicate
anything, even the session id.
Why is this? There surely could be something implement sorta like
callbacks... or ajax.

essentially on the remote computer you have a php script that is called by
the central server when something chances or to pass on information. The php
script then could either write them to a file or use shared memory or maybe
run in the same process space as the session.

Sure there would have to be negotiations at the start but I don't see a
problem with it. Instead of passing session through a url, say, your doing
it over a remote connection.

For example,

User logs into RS(remote server). RS establishes a "session ID" for this
user and calls central server and passes this session ID. All other servers
are signaled that this user as logged into this server(or they could request
each time a user logs onto them). Every time a state is changed its
reflected back and forth. This isn't optimal of course and technically isn't
probably very good but it should work.

The main problem, I suppose, is creating a unique ID for the user. Would
have to atleast be the IP but then that causes problems with proxies and
stuff. Maybe there is a way though...

I really don't see the issue though. After all you could have two servers
running on the same computer but one listens on a different ip. Surely they
would not have any issues sharing a session? (it might require some new
software to handle it efficiently though) Doing it remotely shouldn't be
that much more of a problem(aside from the security issues).

of course I could be missing something but I don't think your reasoning is
valid as its pretty easy to synchronize status.

Jon


Jun 11 '07 #9
>The problem here is the remote servers will have no idea what the current
>status is from the central server - they'll have no way to communicate
anything, even the session id.
Assuming you can solve the problem of the session identifier
(something that can be dealt with by making the servers all have a
common domain with different subdomains), it is possible to use a
session save handler to store the session data in MySQL, not a local
file directory. This has potential to make the session data available
to multiple servers (a setup commonly used with round-robin DNS to
spread the load over several servers serving identical content).
You might have locking issues with changing the content of the
session, though. That might be solved with key changes (logging
in, logging out) handled by one specific server.

If you insist on no more than one session per user, you can use the
user id as a key for locating session data.

>Why is this? There surely could be something implement sorta like
callbacks... or ajax.

essentially on the remote computer you have a php script that is called by
the central server when something chances or to pass on information. The php
script then could either write them to a file or use shared memory or maybe
run in the same process space as the session.
Having the central server call all the other servers can give you trouble
if one of them goes down. (On the other hand, a central database can be
a single point of failure for the whole group of systems if not designed
carefully).
>Sure there would have to be negotiations at the start but I don't see a
problem with it. Instead of passing session through a url, say, your doing
it over a remote connection.

For example,

User logs into RS(remote server). RS establishes a "session ID" for this
user and calls central server and passes this session ID. All other servers
are signaled that this user as logged into this server(or they could request
each time a user logs onto them). Every time a state is changed its
reflected back and forth. This isn't optimal of course and technically isn't
probably very good but it should work.
I prefer to stick all this information in a database where the various
servers can access it. If necessary, the database can be replicated.
>The main problem, I suppose, is creating a unique ID for the user. Would
have to atleast be the IP but then that causes problems with proxies and
stuff. Maybe there is a way though...
If a user is required to log in, his user id may serve that purpose.
>I really don't see the issue though. After all you could have two servers
running on the same computer but one listens on a different ip. Surely they
would not have any issues sharing a session? (it might require some new
software to handle it efficiently though) Doing it remotely shouldn't be
that much more of a problem(aside from the security issues).

of course I could be missing something but I don't think your reasoning is
valid as its pretty easy to synchronize status.
Jun 11 '07 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1380
by: Mark C via AccessMonster.com | last post by:
Ok bare with me on this one.... I have 1 table "Expenses" that holds about 50 fields broken down into sub categories. I have a Subform tied to a main form so that when I pull up a client it will show all of that clients expenses divided out by the sub categories onto seperate tabs. To view it everything is fine; however, when I want to enter expenses for a new client I have an error.
2
5708
by: TaeHo Yoo | last post by:
Hi all, I have a solution which contains multiple projects. Those multiple projects should share the same session. For example, users login, create the session for users then these session information should be accessed by multiple projects. How do I archieve this? Any tutorial out there? Thanks
1
1829
by: Larry Page | last post by:
What started off as a request for a Single Sign On solution is grown to the point where I need to make some long term design decisions and I'm hoping to get some input on how others are handling the same issues. I've spent the last two years moving applications to an intranet web portal, which morphed into a Internet portal, and now is providing extranet data feeds via web services. The latest twist came when users began to question why...
1
1488
by: Punisher | last post by:
Is this possible? We have 7 webservers servering up the same content, but each has a different viewstate. How can we make them all have the same one?
1
1425
by: NAT | last post by:
I am using session mode as "InProc"(entered in web.config). I have deployed my ASP.NET appln. on a server which uses Load Balancer. i.e I have two servers. I am using session across pages.The problem I am facing is that sometimes I find the session and sometimes not. I beleive this is happenning because of multiple servers. Because session is created on a worker process on one server and the second time it must be hitting the other server...
3
1887
by: NAT | last post by:
I am using session mode as "InProc"(entered in web.config). I have deployed my ASP.NET appln. on a server which uses Load Balancer. i.e I have two servers. I am using session across pages.The problem I am facing is that sometimes I find the session and sometimes not. I beleive this is happenning because of multiple servers. Because session is created on a worker process on one server and the second time it must be hitting the other server...
3
3989
by: Ben Holness | last post by:
Hi all, I have a php/mysql website where people can upload their own graphics for the buttons and background of pages on the website. This used to run on one server, but I have now been asked to set it up on multiple servers. The problem is that when someone uploads a file, how do I distribute it to all of the servers? Should I use php to send it to all of the servers once
4
2355
by: Vinnie123 | last post by:
I can't seem to get my PHP Session to continue across multiple pages. Here is a sample code I wrote: test.php <?php session_start(); $_SESSION = "feona"; header("Location: http://partynd.com/test2.php");
6
1608
by: alfasol | last post by:
I have a search module which has a search form and a php script to search. Now i have to use this search module over multiple sites . If i do that it shows path of search script on browser than the site's address .How to avoid. Please Help.
0
9234
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9089
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
8941
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
7832
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
6575
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5910
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4412
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4668
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
3
2037
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.