Cross Domain PHP Sessions

Secure and Flexible Cross-Domain Sessions

What you could do is create "cross-over" links between the sites to carry the session over.

The simplest way is to pass the session id via the query string; e.g.

http://whateverblammo.com/?sessid=XXYYZZ

Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.

That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.

Note that using mcrypt() on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.

You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:

$_SESSION['extids'] = array();

$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;

$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);

When received:

list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
    // okay, make sure it can't be used again
    unset($_SESSION['extids'][$ext]);
}

You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.

Preserving session variables across different domains

Cross-domain session ids

Session ids are passed around using cookies by default. Since your websites are on different domains the session cookie does not transfer over, so that's one thing that prevents cross-domain sessions from working.

One technique to have the session ids transfer over is to append them to the query string of all your requests (PHP even has some degree of built-in support for this). However, this way of doing things has many drawbacks -- the most important being that people copy/paste URLs all the time, with all that implies about revealing valid and reusing invalid session ids -- and therefore is not recommended.

A much better approach would be to use Javascript to make cross-domain requests across all of the interested domains (which would need to be cooperating in this of course). This way you can seamlessly transfer your session id across as many servers as you need to.

Shared session data

Even if the cookie were not a problem, you would need to have the session data on some storage commonly accessible by all your servers. The default storage is the local filesystem, so again this is something that needs to change if you want cross-domain sessions.

A simple solution to this problem would be to use a custom session handler that stores the data on a database or other globally accessible store.

Jquery cross domain login with PHP sessions

Are the two domain running on the same server and Apache+PHP stack?
In that case, you just need to set the cookies for .example.com instead of www.example.com (the default). The session data is stored on the same server, so the session can be shared.

<?php
ini_set('session.cookie_domain', '.example.com');

session_start();
...

You can take a look at this answer Sharing php Session ($_SESSION) across multiple domain

For JS side, since cross-domain ajax is not allowed. I suggest using a <form>element, specify a redirect parameter, so that your login script (login.php) can redirect the user back to the right place after login. (you also need to add code in login.php to handle the redirect)

<form id="loginForm" action="http://www.example.com/script/login.php" method="post">
 <input type="hidden" name="username" value="..."/>
 <input type="hidden" name="password" value="..."/>
 <input type="hidden" name="redirect" value="http://www.m.example.com/" />
</form>

<script>$("#loginForm").submit();</script>

How do I save a variable in php session after passing it cross domain via JQuery / AJAX?

I believe the session started in pass.php and the session in index.php are two different sessions. I cannot be sure since I don't have the means to try it out now but I've given a possible solution, do try and report back if it works for you or not. :)

pass.php

//...
if(isset($HTTP_RAW_POST_DATA)) {
    parse_str($HTTP_RAW_POST_DATA,$arr); 

    $_SESSION["username"] = $arr['name'];
    $_SESSION["userid"] = $arr['id'];

    $arr2['callback']= "ok";
    $arr2['sessid'] = session_id(); 

    echo json_encode($arr2);
}
//...

ajax

$.ajax({
     url:"http://52.39.48.172/bin/pass.php",
     data:"name="+name+"&id="+id,
     type:"POST",
     dataType:"json",   
     contentType:"application/json; charset=utf-8",    
     success:function(data)
     {
        if(data.callback == "ok")
        {                    
            window.location.href = lnk+"?sessid="+data.sessid;
        }
        else
        {
            alert("ERROR: could not connect to chat");
        }
     }

  });
 });

index.php

session_id($_GET['sessid']);
session_start();

How a session variable in php multi domain?

I found a solution at once!
I check on the index of the site if user_id session exists, whether it is connected so it's ok if it does not exist so I made a redirect to the main site.
If the session is I go through this url key user and connect the member with respect to this key (encrypt). But if it has not been found I did just a redirect to the site desired by the user! :)
Easy as pie (French term ^^) and functional!
thank you for your answer!

If you want to ask me the code.