473,729 Members | 2,409 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Session handling, login across all subdomains

I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Jul 25 '08 #1
9 7810
Josh <jj*******@gmai l.comwrites:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Besides the name of the session cookie and the place where the session
information is stored, both the sites also need to share the idea of who a
"user" is. That would generally mean that both the sites use the same database,
or at least the users information comes from the same table.

That might be question of setup or installing additional modules etc. I don't
know specifics of Joomla.

Chetan
Jul 25 '08 #2
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.

Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?

Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.

I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.

Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie_ domain = .example.com

where example.com is your main domain. The leading period is important.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 26 '08 #3
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.examp le.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?

Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie_ domain = .example.com

where example.com is your main domain. The leading period is important.
....but test it first - particularly with MSIE 8 and FF3.

A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.

C.
Jul 27 '08 #4
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>Josh wrote:
>>I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.exa mple.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.

To get them to work with all of your subdomains, in your php.ini file set

session.cookie _domain = .example.com

where example.com is your main domain. The leading period is important.

...but test it first - particularly with MSIE 8 and FF3.

A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.

C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 27 '08 #5
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
information is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.exam ple.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cookie_ domain = .example.com
where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.

Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:

if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.

current.example .com:

if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.com

if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}

Here using a 5 second timeout to reduce the window for replay attacks.

Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.

on host 1:

require_once('s ome_encryption_ lib.inc.php');
....
session_start() ;
....
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";

on host 2

require_once('s ome_encryption_ lib.inc.php');
....
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start();
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}

Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.

C.
Jul 29 '08 #6
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>C. (http://symcbean.blogspot.com/) wrote:
>>On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
informati on is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.e xample.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cook ie_domain = .example.com
where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.

But please - give details on how he should implement a single sign on or
rebind the session at runtime.

Single-sign-on:

if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.

current.example .com:

if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.com

if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}

Here using a 5 second timeout to reduce the window for replay attacks.

Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.

on host 1:

require_once('s ome_encryption_ lib.inc.php');
...
session_start() ;
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";

on host 2

require_once('s ome_encryption_ lib.inc.php');
...
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start();
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}

Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.

C.
And exactly how dows this help with multiple subdomains? The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 29 '08 #7
On Jul 29, 10:52*am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
I run a Joomla website and am familiar with php in some but not all
aspects. Currently I am trying to find some solutions related to
session handling.
Am I correct in saying that "login" is kept in sessions? I can see
active sessions in my mysql database, but is that the only place this
informatio n is stored? Sessions and cookies I know are related also,
but how specifically (session info stored in cookies?)?
Right now, when users login at example.com, and then visit
subdomain.ex ample.com, they are not logged in at the subdomain. I am
trying to change this so that users logged in on the main site or any
subdomain are also logged in across all other subdomains and the main
site. I know sites like livejournal successfully accomplish this.
I have read some stuff about mod_rewrite solutions, but I don't think
this is really what I need. From what I can tell, the domain is stored
in a session, and I may need to generalize it somehow, but I don't
know how to test this.
Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
* And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.cooki e_domain = .example.com
where example.com is your main domain. *The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. *And this is correct
operation for cookies. *Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.example .com:
if (!authenticated ($_COOKIE['auth'])) {
* if ($_GET['visa']) {
* * $decrypt=decryp t($_GET['visa']);
* * list($auth,$sen t)=explode('|', $decrypt);
* * if (authenticated( $auth) && (5<abs($time()-$sent)) {
* * * *set_cookie('au th',$auth);
* * }
* }
}
sso.example.com
if (authenticated( $_COOKIE['sso_auth'])) {
* *$visa=encrypt( $_COOKIE['sso_auth'],time());
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *header("Locati on: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
* *// NB deliberate assignment
* *$visa=encrypt( $auth);
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *set_cookie('ss o_auth',$auth);
* *header("Locati on: $visa");
} else {
* *print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
* name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
* </form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks.
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once('s ome_encryption_ lib.inc.php');
...
session_start() ;
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once('s ome_encryption_ lib.inc.php');
...
if ($_GET['force_session']) {
* *$decrypt=decry pt($_GET['force_session']);
* *list($remote_s ession,$host,$s ent)=explode('| ',$decrypt);
* *if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
* * * session_id($rem ote_session);
* *} else {
* * * // ?
* *}
}
sesion_start();
if (!$_SESSION['exported']) {
* *// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.

And exactly how dows this help with multiple subdomains? *The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. *So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.
The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:

GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure.php
The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
After we validated the token and generated our subdomain cookie, we
redirect to the original page

Its a bit roundabout, but only the initial sso login should prompt the
user for a password. Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.

I think this is how the OpenID stuff works, but i'm not sure.

As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.

Richard
Jul 30 '08 #8
Richard Levasseur wrote:
On Jul 29, 10:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>C. (http://symcbean.blogspot.com/) wrote:
>>On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
>Josh wrote:
>>I run a Joomla website and am familiar with php in some but not all
>>aspects . Currently I am trying to find some solutions related to
>>session handling.
>>Am I correct in saying that "login" is kept in sessions? I can see
>>active sessions in my mysql database, but is that the only place this
>>informati on is stored? Sessions and cookies I know are related also,
>>but how specifically (session info stored in cookies?)?
>>Right now, when users login at example.com, and then visit
>>subdomain .example.com, they are not logged in at the subdomain. I am
>>trying to change this so that users logged in on the main site or any
>>subdoma in are also logged in across all other subdomains and the main
>>site. I know sites like livejournal successfully accomplish this.
>>I have read some stuff about mod_rewrite solutions, but I don't think
>>this is really what I need. From what I can tell, the domain is stored
>>in a session, and I may need to generalize it somehow, but I don't
>>know how to test this.
>>Any ideas?
>Your problem is the session id is kept in a cookie. However, the browser
>will not normally send a cookie from one website to a different website.
> And even though they are subdomains of the same domain, they are
>differen t sites.
>To get them to work with all of your subdomains, in your php.ini file set
>session.co okie_domain = .example.com
>where example.com is your main domain. The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. And this is correct
operation for cookies. Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.examp le.com:
if (!authenticated ($_COOKIE['auth'])) {
if ($_GET['visa']) {
$decrypt=decryp t($_GET['visa']);
list($auth,$sen t)=explode('|', $decrypt);
if (authenticated( $auth) && (5<abs($time()-$sent)) {
set_cookie('aut h',$auth);
}
}
}
sso.example.c om
if (authenticated( $_COOKIE['sso_auth'])) {
$visa=encrypt($ _COOKIE['sso_auth'],time());
$return=$_GET['return_url'] . '?visa=' . $visa;
header("Locatio n: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
// NB deliberate assignment
$visa=encrypt($ auth);
$return=$_GET['return_url'] . '?visa=' . $visa;
set_cookie('sso _auth',$auth);
header("Locatio n: $visa");
} else {
print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
</form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks.
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once( 'some_encryptio n_lib.inc.php') ;
...
session_start ();
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once( 'some_encryptio n_lib.inc.php') ;
...
if ($_GET['force_session']) {
$decrypt=decryp t($_GET['force_session']);
list($remote_se ssion,$host,$se nt)=explode('|' ,$decrypt);
if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
session_id($rem ote_session);
} else {
// ?
}
}
sesion_start( );
if (!$_SESSION['exported']) {
// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.
And exactly how dows this help with multiple subdomains? The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. So there is no way to tell from
one subdomain to another whether the user is logged in or not.

And if he makes the change I suggested, he doesn't need all this extra
stuff.

The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:

GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure.php
The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
After we validated the token and generated our subdomain cookie, we
redirect to the original page

Its a bit roundabout, but only the initial sso login should prompt the
user for a password. Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.

I think this is how the OpenID stuff works, but i'm not sure.

As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.

Richard
Thanks, Richard, I knew there had to be something else in there.

What a convoluted mess. I can see if it's needed across multiple
individual domains.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attgl obal.net
=============== ===

Jul 30 '08 #9
On Jul 30, 6:21*am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Richard Levasseur wrote:
On Jul 29, 10:52 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 27, 3:59 pm, Jerry Stuckle <jstuck...@attg lobal.netwrote:
C. (http://symcbean.blogspot.com/) wrote:
On Jul 26, 3:45 am, Jerry Stuckle <jstuck...@attg lobal.netwrote:
Josh wrote:
>I run a Joomla website and am familiar with php in some but not all
>aspects. Currently I am trying to find some solutions related to
>session handling.
>Am I correct in saying that "login" is kept in sessions? I can see
>active sessions in my mysql database, but is that the only place this
>informatio n is stored? Sessions and cookies I know are related also,
>but how specifically (session info stored in cookies?)?
>Right now, when users login at example.com, and then visit
>subdomain. example.com, they are not logged in at the subdomain. Iam
>trying to change this so that users logged in on the main site orany
>subdomai n are also logged in across all other subdomains and the main
>site. I know sites like livejournal successfully accomplish this.
>I have read some stuff about mod_rewrite solutions, but I don't think
>this is really what I need. From what I can tell, the domain is stored
>in a session, and I may need to generalize it somehow, but I don't
>know how to test this.
>Any ideas?
Your problem is the session id is kept in a cookie. However, the browser
will not normally send a cookie from one website to a different website.
* And even though they are subdomains of the same domain, they are
different sites.
To get them to work with all of your subdomains, in your php.ini file set
session.coo kie_domain = .example.com
where example.com is your main domain. *The leading period is important.
...but test it first - particularly with MSIE 8 and FF3.
A better solution might be to look at single sign on - or at least
rebinding the session id at runtime.
C.
Cookie handling is defined by the HTTP specs. *And this is correct
operation for cookies. *Any browser which doesn't accept this is
non-compliant.
But please - give details on how he should implement a single sign on or
rebind the session at runtime.
Single-sign-on:
if not authenticated at the current vhost redirect to the URL (and
hence vhost) where you do authentication, including a return URL as a
param. At authentication page, if the user presents a valid session
cookie (NB doesn't have to be PHP session cookie, indeed, it'd be
better if it didn't) then redirect back to the return URL including a
token in the params. If no valid session cookie, get them to login and
if valid, redirect back to the return URL with a token as a param.
current.exampl e.com:
if (!authenticated ($_COOKIE['auth'])) {
* if ($_GET['visa']) {
* * $decrypt=decryp t($_GET['visa']);
* * list($auth,$sen t)=explode('|', $decrypt);
* * if (authenticated( $auth) && (5<abs($time()-$sent)) {
* * * *set_cookie('au th',$auth);
* * }
* }
}
sso.example.co m
if (authenticated( $_COOKIE['sso_auth'])) {
* *$visa=encrypt( $_COOKIE['sso_auth'],time());
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *header("Locati on: $visa");
} else if ($auth=check_cr edentials($_POS T['username'],
$_POST['password'])) {
* *// NB deliberate assignment
* *$visa=encrypt( $auth);
* *$return=$_GET['return_url'] . '?visa=' . $visa;
* *set_cookie('ss o_auth',$auth);
* *header("Locati on: $visa");
} else {
* *print "<form action='" . $_SERVER['PHP_SELF'] . "' method='POST'>
* name: <input type = 'text' name='username' Password: <input tyoe =
'password' name='password' >
* </form>\n";
}
Here using a 5 second timeout to reduce the window for replay attacks..
Session rebinding:
If you know that a user has a session id 'ABC' on host 1, and this
shares PHP session storage mechanism with host 2, then you can force
the PHP session on host 2 to use the same session id, and thus the
same session data. This also means that the user will stay logged in
on host 1 even if they don't touch any of its URLs for longer than
than the PHP session's TTL (provided they are still interacting with
host 2), e.g.
on host 1:
require_once(' some_encryption _lib.inc.php');
...
session_start( );
...
$_SESSION['exported']=true;
print "<a href='http://host2.example.c om/?force_session= ";
print encrypt(session _id() . '|' . $_SERVER['REMOTE_HOST'] . '|' .
time()) . "'>Go to other site</a>";
on host 2
require_once(' some_encryption _lib.inc.php');
...
if ($_GET['force_session']) {
* *$decrypt=decry pt($_GET['force_session']);
* *list($remote_s ession,$host,$s ent)=explode('| ',$decrypt);
* *if (($host==$_SERV ER['REMOTE_HOST']) && (abs(time()-$sent)<300)) {
* * * session_id($rem ote_session);
* *} else {
* * * // ?
* *}
}
sesion_start() ;
if (!$_SESSION['exported']) {
* *// session referenced is dead - reinitialize and/or re-authenticate
}
Here I'm using the client IP and the time the link was generated to
prevent CSRF - this won't work for AOL customers, nor if the link is a
accessed more than 5 minutes after it has been generated.
C.
And exactly how dows this help with multiple subdomains? *The cookies
(including the session id cookie) aren't passed to different subdomains
unless he makes the change I suggested. *So there is no way to tell from
one subdomain to another whether the user is logged in or not.
And if he makes the change I suggested, he doesn't need all this extra
stuff.
The important part he forgot is that the sso.example.com needs to
redirect to an auth-reply handler on the original server, which then
authenticates the sso token and generates the subdomain cookie. *The
data transferred between sso.example.com and subdomain.examp le.com
should be encrypted so that falsified data can't be sent directly to
subdomain.examp le.com.
The general workflow is like this:
GET subdomain.examp le.com/secure.php
=redirect to sso.example.com/login?domain=su bdomain&url=/secure..php
* *The browser sends any sso.example.com cookies in this request, so
you can store login info in a cookie that only gets sent to
sso.example.com and do an immediate redirect.
=redirect to subdomain.examp le.com/loginHandler.ph p?token=abcd&ur l=/
secure.php
* *Here we get back the encrypted token from the sso server, which we
decrypt and then generate our subdomain cookie.
=redirect to subdomain.examp le.com/secure.php
* *After we validated the token and generated our subdomain cookie,we
redirect to the original page
Its a bit roundabout, but only the initial sso login should prompt the
user for a password. *Subdomain specific logins will redirect a couple
times, but it'll be really quick and the user won't really notice.
Subsequent requests are already validated, so they never redirect.
I think this is how the OpenID stuff works, but i'm not sure.
As an easier alternative, you can simply set the session handler to be
memcache (or whichever shared data store), and allow more promiscuous
cookie settings like Jerry suggested.
Richard

Thanks, Richard, I knew there had to be something else in there.

What a convoluted mess. *I can see if it's needed across multiple
individual domains.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstuck...@attgl obal.net
=============== ===- Hide quoted text -

- Show quoted text -
I had posted my issue in a couple forums (Joomla-related) and forgot
to post my eventual solution here.

Turns out that in Firefox, the simple step of adding the leading '.'
in front of the domain did the trick (I had been testing in IE).

In IE, however, the issue was that the cookie name as set in Joomla
was made to be dependent on the live_site. This meant that different
subdomains were producing cookies with different names. Interestingly,
FF seems not to care about cookie names, only id's and the domain. And
interestingly, IE seems not to care about cookie domains.

In any case, making both changes (the leading '.', and the set cookie
name) did the trick across browsers (IE7, IE6, IE5.5, Firefox3,
Safari3, Opera....all those I tested, worked fine).

Thanks for the input, and I hope this helps someone else if anyone
runs into the same type of problem!
Aug 1 '08 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

9
3646
by: Pack Fan | last post by:
I've noticed that session variables will persist on Mac IE even after all browser windows have been closed. One must quit the program to clear the session variables. This presents a security risk for my session variable based security scheme. Basically, the risk is that a user will login to my site, close the window when done and allow someone else to come up to the machine, go back to my site and be logged into the previous user's...
9
2092
by: Marcus | last post by:
Hello, Currently all of my php pages use SSL, not just my initial login. Originally I thought this would be more secure, but after thinking about things and looking at sites like Amazon and Gmail, they all SSL the login scripts and then use regular http for everything else, which I'm sure speeds things up without the encrypt/decrypt process. I was going to change my scripts to reflect this model, but I saw in the php manual the...
6
2563
by: Nedu N | last post by:
Hi, I am trying to design a Home page for my applicatiion in which i want show the links for for some itms... I tried to put the following <td> <font face="Arial, Helvetica, sans-serif" color="#ffffff" size="2"> Contact | My Profile | Logout /font> </td>
1
2682
by: guoqi zheng | last post by:
I have an application in IIS with a few sub domains assign to it. Is there a way for me to share session data across those subdomains? regards, Guoqi Zheng http://www.ureader.com
7
7776
by: Doug | last post by:
An ASP.NET session cookie set on "www.mydomain.com" can not be accessed on "search.mydomain.com"; hence, a new session and cookie are being created on every sub-domain. This is occuring because ASP.NET always sets the Session cookie domain to the full domain (e.g. "www.mydomain.com") instead of the parent domain (e.g. "mydomain.com") The problem with this is when the visitor goes to a different sub-domain (e.g. "search.mydomain.com"),...
1
2555
by: loooser | last post by:
Hi, I would just like to know if there is a way to let php keep sessions accross subdomains? I mean sessions with cookies, where the domain should be correctly set. Or maybe I can use SID variable to carry the session across to the subdomain? Tanks for any replys
22
14896
by: K. A. | last post by:
I have two servers at work, 'A' for testing and development, and server 'B' for production. On server A, I wrote a PHP test code to login users then direct them to a personalized page. This is done in 3 steps: Step 1. Normal http login page. Step 2. A page called login.php that takes the posted username, stores it as $_SESSION, and registers it session_register("username"); user is taken to the personalized page according to his username...
13
8672
by: Samir Chouaieb | last post by:
Hello, I am trying to find a solution to a login mechanism for different domains on different servers with PHP5. I have one main domain with the user data and several other domains that need a login to show data. I want the user to login only once when he visits any of my domains.
1
1850
by: daniel.westerberg | last post by:
Is it possible to keep sessions between subdomains? I.e If I have a site "shop.com" and when user acess his personal page it's "secure.shop.com" Is it possible to share the session values between these two? Why I ask is because the hosting company gives a discount on SSL certificates if I put it at secure.shop.com instead of the entire site and since I only need checkout and personal info pages to be secure I was thinking that I could...
0
8921
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
8763
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9427
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9284
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
0
9148
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
1
6722
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6022
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4528
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
3238
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.