473,323 Members | 1,570 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,323 software developers and data experts.

Does this sound safe? Sessions between domains

I've been trying to find a way to transfer session data (login information
and such) between different domains, both on the same shared host. I think
(I haven't tested yet, though) that using the same session ID will return
the same session data, since they're both running off the same copy of PHP.

The data being transmitted isn't extremely sensitive (not enough to be
worried things like shared-server tempfile reading), but I want to be as
secure as possible on the front-end.

Anyhow, how does this sound:

* The Session mechanism will be instructed to use only cookies. This might
be a pain to some users, but they've got to know by now that much of the
web uses Cookies, and they need to deal with it as-such.

* All care will be taken to prevent code from being arbitrarily executed on
the site. Users will not be able to arbitrarily upload executable
JavaScript or other code.

* This system will allow an easy transition from one domain name to
another, both on the same shared webspace, while remaining "logged in"
under a common set of credentials. I will use two of my own domain names as
examples. The user, in this case, is trying to go from pixelsaredead.com to
omni-megacorp.com.

1.) The user logs on to pixelsaredead.com and a session is set up. They are
authenticated and recieve a Session ID cookie.

2.) The user clicks to a "launch" page, which will transfer them from
pixelsaredead.com to omni-megacorp.com, while staying logged in. If they
are not currently authenticated, with an authenticated session, they are
Given the Boot.

3.) The "launch" page from pixelsaredead.com generates and stores a random
identifier, completely underived from the Session ID. The Random ID (RID)
and Session ID (SID) are then correlated in a table. The "reciver" page on
omni-megacorp.com is then called using only the RID:

http://www.omni-megacorp.com/login/r...as89h98as8asdh

4.) The "reciever" page checks RID to see if it correlates with a valid
session. If not, the user is Given the Boot.

5.) If the RID matches a given session, that session is reactivated for
omni-megacorp.com, and the user is now logged in on both sites (through
some mechanism). The RID is then flagged as "invalid". Upon any further
attempts to use that RID, the associated session is invalidated. If anyone
tries to hijack the session, both the hijacker and the legitimate user get
logged off, with no security breached.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #1
4 2148
Regarding this well-known quote, often attributed to FLEB's famous "Fri, 14
May 2004 15:52:57 -0400" speech:


Anyhow, how does this sound:


Aside from the numerous spelling-and-grammar errors I just found *after*
hitting "Post". Sheesh.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #2
"FLEB" <so*********@mmers.and.evil.ones.will.bow-down-to.us> wrote in
message news:1n******************************@40tude.net.. .
I've been trying to find a way to transfer session data (login information
and such) between different domains, both on the same shared host. I think
(I haven't tested yet, though) that using the same session ID will return
the same session data, since they're both running off the same copy of

PHP.

You can probably just pass the session id in the URL to the second domain.
If upon receiving the id and storing it in a cookie, the script immediately
does a redirect, there's little risk of the id showing up in someone's httpd
log.

Jul 17 '05 #3
FLEB wrote:

[snip]

What you may want to do is plan on NOT having those two sites on the same
server... what if you move to two seperate servers? I think I would work on some
sort of web service for transferring session data in a serialized string then
giving the user the new SID via cookie or URL or whatever, and redirecting them
to the new site.

Jeff
Jul 17 '05 #4
Regarding this well-known quote, often attributed to Jeff Rodriguez's
famous "Fri, 14 May 2004 17:22:22 -0700" speech:
FLEB wrote:

[snip]

What you may want to do is plan on NOT having those two sites on the same
server... what if you move to two seperate servers? I think I would work on some
sort of web service for transferring session data in a serialized string then
giving the user the new SID via cookie or URL or whatever, and redirecting them
to the new site.

Jeff


Right now it's more for personal use, and I know I'll own and serve all the
domain names off the same server. Still, though, I might work in a back-end
transfer system later on.

(musing)

I doubt it would be too difficult. Simply fake a POST submission of the
serialized data, with a secret-key-signed hash along with it. Have the
remote site's script generate a session key, and send it (with a signed
hash as well) back to the original script.

--
-- Rudy Fleminger
-- sp@mmers.and.evil.ones.will.bow-down-to.us
(put "Hey!" in the Subject line for priority processing!)
-- http://www.pixelsaredead.com
Jul 17 '05 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: BWGames | last post by:
Hey all, I have a website, which uses frames (I know, I know...). Left frame is a navbar, with the main content in the right frame. I can login using sessions on the right frame, giving...
9
by: strycat | last post by:
Hello, I've got two different sets of ASP scripts on my server. Each set is kept in their own directory. Both sets of scripts use sessions. I want to make sure that the sessions are not...
12
by: Grunff | last post by:
I'm experiencing an interesting problem with carrying a php session over from http to https. Much googling later, I'm still stuck. The application is an online shop, where some user data is...
24
by: Dan Bass | last post by:
I know that XslTransform's Transform is thread safe according to the MSDN, and that Load is not. I've therefore applied this simply Mutex to it and would just like to confirm this is okay. ...
18
by: cj | last post by:
members of this type are safe for multithreaded operations. Instance members are not guaranteed to be thread-safe. I'm under the impression before you can use a class you have to make an...
22
by: magic_hat60622 | last post by:
Hi all. I've got an app that dumps a user id into a session after successful login. the login page is http://www.mydomain.com/login.php. If the user visits pages on my site without the www (i.e.,...
8
by: pim | last post by:
Dear All, What I was wondering is how safe it is to store user_id or username or anything like that in session. I usualy store a bunch of info in a session so I do not need to search the...
7
by: pek | last post by:
OK, I've been having this problem for quite some time but never until now I really needed a solution. I have never thought of a work around, so I really need your help. Sorry if this has been...
8
by: Dave | last post by:
Hopefully this is an easy question for those with more experience. I have two separate programs that I want to use together on a website Program A starts first and calls session_start(). ...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.