473,699 Members | 2,401 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Session handling, login across all subdomains

I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Jul 25 '08 #1
9 7806
Josh <jj*******@gmai l.comwrites:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Besides the name of the session cookie and the place where the session
information is stored, both the sites also need to share the idea of who a
"user" is. That would generally mean that both the sites use the same database,
or at least the users information comes from the same table.

That might be question of setup or installing additional modules etc. I don't
know specifics of Joomla.

Chetan
Jul 25 '08 #2
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie_ domain = .example.com

where example.com is your main domain. The leading period is important.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 26 '08 #3
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?

Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie_ domain = .example.com

where example.com is your main domain. The leading period is important.
....but test it first - particularly with MSIE 8 and FF3.

A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.

C.
Jul 27 '08 #4
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>Josh wrote:
>>I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.exa mple.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie _domain = .example.com

where example.com is your main domain. The leading period is important.

...but test it first - particularly with MSIE 8 and FF3.

A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.

C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 27 '08 #5
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.exam ple.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cookie_ domain = .example.com
where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.

Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:

if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.

current.example .com:

if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.com

if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}

Here using a 5 second timeout to reduce the window for replay attacks.

Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.

on host 1:

require_once('s ome_encryption_ lib.inc.php');
....
session_start() ;
....
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";

on host 2

require_once('s ome_encryption_ lib.inc.php');
....
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start();
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}

Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.

C.
Jul 29 '08 #6
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>C. (http://symcbean.blogspot.com/) wrote:
>>On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
informati on is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.e xample.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cook ie_domain = .example.com
where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.

Single-sign-on:

if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.

current.example .com:

if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.com

if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}

Here using a 5 second timeout to reduce the window for replay attacks.

Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.

on host 1:

require_once('s ome_encryption_ lib.inc.php');
...
session_start() ;
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";

on host 2

require_once('s ome_encryption_ lib.inc.php');
...
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start();
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}

Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.

C.
And exactly how dows this help with multiple subdomains? The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 29 '08 #7
On Jul 29, 10:52*am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
informatio n is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.ex ample.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
* And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cooki e_domain = .example.com
where example.com is your main domain. *The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. *And this is correct
operation for cookies. *Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.example .com:
if (!authenticated ($_COOKIE['auth'])) {
* if ($_GET['visa']) {
* * $decrypt=decryp t($_GET['visa']);
* * list($auth,$sen t)=explode('|', $decrypt);
* * if (authenticated( $auth) && (5<abs($time()-$sent)) {
* * * *set_cookie('au th',$auth);
* * }
* }
}
sso.example.com
if (authenticated( $_COOKIE['sso_auth'])) {
* *$visa=encrypt( $_COOKIE['sso_auth'],time());
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *header("Locati on: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
* *// NB deliberate assignment
* *$visa=encrypt( $auth);
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *set_cookie('ss o_auth',$auth);
* *header("Locati on: $visa");
} else {
* *print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
* name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
* </form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks.
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once('s ome_encryption_ lib.inc.php');
...
session_start() ;
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once('s ome_encryption_ lib.inc.php');
...
if ($_GET['force_session']) {
* *$decrypt=decry pt($_GET['force_session']);
* *list($remote_s ession,$host,$s ent)=explode('| ',$decrypt);
* *if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
* * * session_id($rem ote_session);
* *} else {
* * * // ?
* *}
}
sesion_start();
if (!$_SESSION['exported']) {
* *// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.

And exactly how dows this help with multiple subdomains? *The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. *So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.
The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:

GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure.php
The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
After we validated the token and generated our subdomain cookie, we
redirect to the original page

Its a bit roundabout, but only the initial sso login should prompt the
user for a password. Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.

I think this is how the OpenID stuff works, but i'm not sure.

As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.

Richard
Jul 30 '08 #8
Richard Levasseur wrote:
On Jul 29, 10:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>C. (http://symcbean.blogspot.com/) wrote:
>>On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>Josh wrote:
>>I run a Joomla website and am familiar with php in some but not all
>>aspects . Currently I am trying to find some solutions related to
>>session handling.
>>Am I correct in saying that "login" is kept in sessions? I can see
>>active sessions in my mysql database, but is that the only place this
>>informati on is stored? Sessions and cookies I know are related also,
>>but how specifically (session info stored in cookies?)?
>>Right now, when users login at example.com, and then visit
>>subdomain .example.com, they are not logged in at the subdomain. I am
>>trying to change this so that users logged in on the main site or any
>>subdoma in are also logged in across all other subdomains and the main
>>site. I know sites like livejournal successfully accomplish this.
>>I have read some stuff about mod_rewrite solutions, but I don't think
>>this is really what I need. From what I can tell, the domain is stored
>>in a session, and I may need to generalize it somehow, but I don't
>>know how to test this.
>>Any ideas?
>Your problem is the session id is kept in a cookie. However, the browser
>will not normally send a cookie from one website to a different website.
> And even though they are subdomains of the same domain, they are
>differen t sites.
>To get them to work with all of your subdomains, in your php.ini file set
>session.co okie_domain = .example.com
>where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.examp le.com:
if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.c om
if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks.
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once( 'some_encryptio n_lib.inc.php') ;
...
session_start ();
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once( 'some_encryptio n_lib.inc.php') ;
...
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start( );
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.
And exactly how dows this help with multiple subdomains? The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.

The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:

GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure.php
The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
After we validated the token and generated our subdomain cookie, we
redirect to the original page

Its a bit roundabout, but only the initial sso login should prompt the
user for a password. Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.

I think this is how the OpenID stuff works, but i'm not sure.

As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.

Richard
Thanks, Richard, I knew there had to be something else in there.

What a convoluted mess. I can see if it's needed across multiple
individual domains.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 30 '08 #9
On Jul 30, 6:21*am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Richard Levasseur wrote:
On Jul 29, 10:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
>I run a Joomla website and am familiar with php in some but not all
>aspects. Currently I am trying to find some solutions related to
>session handling.
>Am I correct in saying that "login" is kept in sessions? I can see
>active sessions in my mysql database, but is that the only place this
>informatio n is stored? Sessions and cookies I know are related also,
>but how specifically (session info stored in cookies?)?
>Right now, when users login at example.com, and then visit
>subdomain. example.com, they are not logged in at the subdomain. Iam
>trying to change this so that users logged in on the main site orany
>subdomai n are also logged in across all other subdomains and the main
>site. I know sites like livejournal successfully accomplish this.
>I have read some stuff about mod_rewrite solutions, but I don't think
>this is really what I need. From what I can tell, the domain is stored
>in a session, and I may need to generalize it somehow, but I don't
>know how to test this.
>Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
* And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.coo kie_domain = .example.com
where example.com is your main domain. *The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. *And this is correct
operation for cookies. *Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.exampl e.com:
if (!authenticated ($_COOKIE['auth'])) {
* if ($_GET['visa']) {
* * $decrypt=decryp t($_GET['visa']);
* * list($auth,$sen t)=explode('|', $decrypt);
* * if (authenticated( $auth) && (5<abs($time()-$sent)) {
* * * *set_cookie('au th',$auth);
* * }
* }
}
sso.example.co m
if (authenticated( $_COOKIE['sso_auth'])) {
* *$visa=encrypt( $_COOKIE['sso_auth'],time());
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *header("Locati on: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
* *// NB deliberate assignment
* *$visa=encrypt( $auth);
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *set_cookie('ss o_auth',$auth);
* *header("Locati on: $visa");
} else {
* *print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
* name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
* </form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks..
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once(' some_encryption _lib.inc.php');
...
session_start( );
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once(' some_encryption _lib.inc.php');
...
if ($_GET['force_session']) {
* *$decrypt=decry pt($_GET['force_session']);
* *list($remote_s ession,$host,$s ent)=explode('| ',$decrypt);
* *if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
* * * session_id($rem ote_session);
* *} else {
* * * // ?
* *}
}
sesion_start() ;
if (!$_SESSION['exported']) {
* *// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.
And exactly how dows this help with multiple subdomains? *The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. *So there is no way to tell from
one subdomain to another whether the user is logged in or not.
And if he makes the change I suggested, he doesn't need all this extra
stuff.
The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. *The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:
GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure..php
* *The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
* *Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
* *After we validated the token and generated our subdomain cookie,we
redirect to the original page
Its a bit roundabout, but only the initial sso login should prompt the
user for a password. *Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.
I think this is how the OpenID stuff works, but i'm not sure.
As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.
Richard

Thanks, Richard, I knew there had to be something else in there.

What a convoluted mess. *I can see if it's needed across multiple
individual domains.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===- Hide quoted text -

- Show quoted text -
I had posted my issue in a couple forums (Joomla-related) and forgot
to post my eventual solution here.

Turns out that in Firefox, the simple step of adding the leading '.'
in front of the domain did the trick (I had been testing in IE).

In IE, however, the issue was that the cookie name as set in Joomla
was made to be dependent on the live_site. This meant that different
subdomains were producing cookies with different names. Interestingly,
FF seems not to care about cookie names, only id's and the domain. And
interestingly, IE seems not to care about cookie domains.

In any case, making both changes (the leading '.', and the set cookie
name) did the trick across browsers (IE7, IE6, IE5.5, Firefox3,
Safari3, Opera....all those I tested, worked fine).

Thanks for the input, and I hope this helps someone else if anyone
runs into the same type of problem!
Aug 1 '08 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
3641
by: Pack Fan | last post by:
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme. Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's...
9
2089
by: Marcus | last post by:
Hello, Currently all of my php pages use SSL, not just my initial login. Originally I thought this would be more secure, but after thinking about things and looking at sites like Amazon and Gmail, they all SSL the login scripts and then use regular http for everything else, which I'm sure speeds things up without the encrypt/decrypt process. I was going to change my scripts to reflect this model, but I saw in the php manual the...
6
2561
by: Nedu N | last post by:
Hi, I am trying to design a Home page for my applicatiion in which i want show the links for for some itms... I tried to put the following <td> <font face="Arial, Helvetica, sans-serif" color="#ffffff" size="2"> Contact | My Profile | Logout /font> </td>
1
2677
by: guoqi zheng | last post by:
I have an application in IIS with a few sub domains assign to it. Is there a way for me to share session data across those subdomains? regards, Guoqi Zheng http://www.ureader.com
7
7774
by: Doug | last post by:
An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on "search.mydomain.com"; hence, a new session and cookie are being created on every sub-domain. This is occuring because ASP.NET always sets the Session cookie domain to the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g. "mydomain.com") The problem with this is when the visitor goes to a different sub-domain (e.g. "search.mydomain.com"),...
1
2553
by: loooser | last post by:
Hi, I would just like to know if there is a way to let php keep sessions accross subdomains? I mean sessions with cookies, where the domain should be correctly set. Or maybe I can use SID variable to carry the session across to the subdomain? Tanks for any replys
22
14891
by: K. A. | last post by:
I have two servers at work, 'A' for testing and development, and server 'B' for production. On server A, I wrote a PHP test code to login users then direct them to a personalized page. This is done in 3 steps: Step 1. Normal http login page. Step 2. A page called login.php that takes the posted username, stores it as $_SESSION, and registers it session_register("username"); user is taken to the personalized page according to his username...
13
8666
by: Samir Chouaieb | last post by:
Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need a login to show data. I want the user to login only once when he visits any of my domains.
1
1846
by: daniel.westerberg | last post by:
Is it possible to keep sessions between subdomains? I.e If I have a site "shop.com" and when user acess his personal page it's "secure.shop.com" Is it possible to share the session values between these two? Why I ask is because the hosting company gives a discount on SSL certificates if I put it at secure.shop.com instead of the entire site and since I only need checkout and personal info pages to be secure I was thinking that I could...
0
8623
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9185
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9050
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
8935
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
6540
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5879
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4389
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
4636
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
2359
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.