I've been trying to find a way to transfer session data (login information
and such) between different domains, both on the same shared host. I think
(I haven't tested yet, though) that using the same session ID will return
the same session data, since they're both running off the same copy of PHP.
The data being transmitted isn't extremely sensitive (not enough to be
worried things like shared-server tempfile reading), but I want to be as
secure as possible on the front-end.
Anyhow, how does this sound:
* The Session mechanism will be instructed to use only cookies. This might
be a pain to some users, but they've got to know by now that much of the
web uses Cookies, and they need to deal with it as-such.
* All care will be taken to prevent code from being arbitrarily executed on
the site. Users will not be able to arbitrarily upload executable
JavaScript or other code.
* This system will allow an easy transition from one domain name to
another, both on the same shared webspace, while remaining "logged in"
under a common set of credentials. I will use two of my own domain names as
examples. The user, in this case, is trying to go from pixelsaredead.com to
omni-megacorp.com.
1.) The user logs on to pixelsaredead.com and a session is set up. They are
authenticated and recieve a Session ID cookie.
2.) The user clicks to a "launch" page, which will transfer them from
pixelsaredead.com to omni-megacorp.com, while staying logged in. If they
are not currently authenticated, with an authenticated session, they are
Given the Boot.
3.) The "launch" page from pixelsaredead.com generates and stores a random
identifier, completely underived from the Session ID. The Random ID (RID)
and Session ID (SID) are then correlated in a table. The "reciver" page on
omni-megacorp.com is then called using only the RID:
http://www.omni-megacorp.com/login/r...as89h98as8asdh
4.) The "reciever" page checks RID to see if it correlates with a valid
session. If not, the user is Given the Boot.
5.) If the RID matches a given session, that session is reactivated for
omni-megacorp.com, and the user is now logged in on both sites (through
some mechanism). The RID is then flagged as "invalid". Upon any further
attempts to use that RID, the associated session is invalidated. If anyone
tries to hijack the session, both the hijacker and the legitimate user get
logged off, with no security breached.
--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com