Secure and Flexible Cross-Domain Sessions
What you could do is create "cross-over" links between the sites to carry the session over.
The simplest way is to pass the session id via the query string; e.g.
http://whateverblammo.com/?sessid=XXYYZZ
Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.
That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.
Note that using mcrypt()
on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.
You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:
$_SESSION['extids'] = array();
$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;
$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);
When received:
list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
// okay, make sure it can't be used again
unset($_SESSION['extids'][$ext]);
}
You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.
Cross domains sessions - shared shopping cart cross domains
You can use a third domain to identify your customers over all domains.
Use for example a PHP File on http://thirdDomain.com/session.php that is included on all pages on both shops.
Sample:
<script type="text/javascript" src="http://thirdDomain.com/session.php"></script>
After your customer switches domains, you can identify him as the same customer using the third domain.
You can assign the session id on both shops to the session id on the third domain to access the cart on both shops. You only need to inform the third domain about your shop sessions (i.e. add them as parameter).
Depending on how flexible you are with your code and templates, you can even use an output from the third domain to define the session id in your shops. This way you can use the same session id on all domains.
But normally a session id assignment should be the more secure way.
Using the javascript version you can also output scripts that may add a session id to all outgoing links and forms to the other domain in the current html page. This might be interesting if you can identify your customer as having cookies blocked.
You can also use the javascript to inform the parent document about an existing session.
What is Firebase's cross-domain policy?
Ways to Connect
There are multiple ways to communicate with the Firebase servers, and these include:
- Firebase Client - One of the officially-supported client libraries, currently including JavaScript (both for Web and Node.js), ObjC (iOS and Mac OS-X), and JVM (Android and Java).
- REST API - Accessible via
https://<your-firebase>.firebaseio.com
.
CORS Policy
Firebase uses a fully-permissive cross-origin resource sharing (CORS) policy, meaning that you can make requests to the Firebase servers from any origin. This is possible because Firebase does not use cookies or traditional sessions to govern which requests are authorized and which are not.
Cross-Domain Policy File (Flash)
Similarly, Firebase uses a fully-permissive cross-domain policy file, requiring only that requests be made over SSL. See the policy file at https://demo.firebaseio-demo.com/crossdomain.xml.
Security Overview
Firebase relies upon a flexible authentication system and expression-based rules language to govern which requests are authorized and which are not.
In order for a request to be authorized, the request must include a Firebase Authentication Token, which is a way of securely sharing data between your server (or authentication provider, if using Firebase Simple Login), and the operation (and corresponding data) must pass the developer-defined security rules.
Firebase is accessible from anywhere via the client libraries or REST API, and enables you to build a fully-secure application using only client-side code. Get started with Firebase authentication by heading to the Quickstart Guide.
jQuery REST Session doesn't work, but works in POSTMan
Generally sessions are stored in Cookies. So, when you are making Cross-Domain requests, Cookies are not shared. A simple fix would be using a proxy.php
but now I got the best solution as to use named sessions.
Use the following code to get your sid
:
<?php
if (isset($_GET["sid"]))
session_id($_GET["sid"]);
session_start();
header("Access-Control-Allow-Origin: *");
header("Content-type: application/json");
var_dump(session_id()); // Gives you the SID.
From the next time, use the sid
as a GET
parameter, and that will check the server session and resume the session.
Related Topics
How to Insert Array of Data into MySQL Using PHP
Properly Calling the Database from Model in an MVC Application
How Many Days Until X-Y-Z Date
How to Find Array/Dictionary Value Using Key
Return Errors from PHP Run Via. Ajax
Can't Make Laravel 4 to Work on Localhost
Eloquent Parent-Child Relationship on Same Model
How to Get Values Inside <![Cdata[Values]] > Using PHP Dom
How to Check If Directory Contents Has Changed with PHP
PHP How to Create Multiple Sessions
Using Ajax in a Wordpress Plugin
How to Connect PHP with Microsoft Access Database
PHP Date Time Current Time Add Minutes
How Validate Unique Email Out of the User That Is Updating It in Laravel
Detect In-App Browser (Webview) with PHP/Javascript