Secure and Flexible Cross-Domain Sessions

Secure and Flexible Cross-Domain Sessions

What you could do is create "cross-over" links between the sites to carry the session over.

The simplest way is to pass the session id via the query string; e.g.

http://whateverblammo.com/?sessid=XXYYZZ

Before you start thinking that anyone can trap that information, think about how your cookies are transferred; assuming you're not using SSL, there's not much difference for someone who taps the network.

That doesn't mean it's safe; for one, users could accidentally copy/paste the address bar and thus leaking out their session. To limit this exposure, you could immediately redirect to a page without the session id after receiving it.

Note that using mcrypt() on the session id won't help much, because it's not the visibility of the value that's the problem; session hijacking doesn't care about the underlying value, only its reproducibility of the url.

You have to make sure the id can be used only once; this can be done by creating a session variable that keeps track of the use count:

$_SESSION['extids'] = array();

$ext = md5(uniqid(mt_rand(), true)); // just a semi random diddy
$_SESSION['extids'][$ext] = 1;

$link = 'http://othersite/?' . http_build_query('sessid' => session_id() . '-' . $ext);

When received:

list($sid, $ext) = explode('-', $_GET['sessid']);
session_id($sid);
session_start();
if (isset($_SESSION['extids'][$ext])) {
    // okay, make sure it can't be used again
    unset($_SESSION['extids'][$ext]);
}

You need these links every time a boundary is crossed, because the session may have gotten regenerated since the last time.

Cross domains sessions - shared shopping cart cross domains

You can use a third domain to identify your customers over all domains.

Use for example a PHP File on http://thirdDomain.com/session.php that is included on all pages on both shops.

Sample:

<script type="text/javascript" src="http://thirdDomain.com/session.php"></script>

After your customer switches domains, you can identify him as the same customer using the third domain.

You can assign the session id on both shops to the session id on the third domain to access the cart on both shops. You only need to inform the third domain about your shop sessions (i.e. add them as parameter).

Depending on how flexible you are with your code and templates, you can even use an output from the third domain to define the session id in your shops. This way you can use the same session id on all domains.
But normally a session id assignment should be the more secure way.

Using the javascript version you can also output scripts that may add a session id to all outgoing links and forms to the other domain in the current html page. This might be interesting if you can identify your customer as having cookies blocked.
You can also use the javascript to inform the parent document about an existing session.

What is Firebase's cross-domain policy?

Ways to Connect

There are multiple ways to communicate with the Firebase servers, and these include:

  • Firebase Client - One of the officially-supported client libraries, currently including JavaScript (both for Web and Node.js), ObjC (iOS and Mac OS-X), and JVM (Android and Java).
  • REST API - Accessible via https://<your-firebase>.firebaseio.com.

CORS Policy

Firebase uses a fully-permissive cross-origin resource sharing (CORS) policy, meaning that you can make requests to the Firebase servers from any origin. This is possible because Firebase does not use cookies or traditional sessions to govern which requests are authorized and which are not.

Cross-Domain Policy File (Flash)

Similarly, Firebase uses a fully-permissive cross-domain policy file, requiring only that requests be made over SSL. See the policy file at https://demo.firebaseio-demo.com/crossdomain.xml.

Security Overview

Firebase relies upon a flexible authentication system and expression-based rules language to govern which requests are authorized and which are not.

In order for a request to be authorized, the request must include a Firebase Authentication Token, which is a way of securely sharing data between your server (or authentication provider, if using Firebase Simple Login), and the operation (and corresponding data) must pass the developer-defined security rules.

Firebase is accessible from anywhere via the client libraries or REST API, and enables you to build a fully-secure application using only client-side code. Get started with Firebase authentication by heading to the Quickstart Guide.

jQuery REST Session doesn't work, but works in POSTMan

Generally sessions are stored in Cookies. So, when you are making Cross-Domain requests, Cookies are not shared. A simple fix would be using a proxy.php but now I got the best solution as to use named sessions.

Use the following code to get your sid:

<?php
  if (isset($_GET["sid"]))
    session_id($_GET["sid"]);
  session_start();
  header("Access-Control-Allow-Origin: *");
  header("Content-type: application/json");
  var_dump(session_id()); // Gives you the SID.

From the next time, use the sid as a GET parameter, and that will check the server session and resume the session.


Related Topics

How to Insert Array of Data into MySQL Using PHP

Properly Calling the Database from Model in an MVC Application

How Many Days Until X-Y-Z Date

How to Find Array/Dictionary Value Using Key

Return Errors from PHP Run Via. Ajax

Can't Make Laravel 4 to Work on Localhost

Eloquent Parent-Child Relationship on Same Model

How to Get Values Inside <![Cdata[Values]] > Using PHP Dom

How to Check If Directory Contents Has Changed with PHP

PHP How to Create Multiple Sessions

Using Ajax in a Wordpress Plugin

How to Connect PHP with Microsoft Access Database

PHP Date Time Current Time Add Minutes

How Validate Unique Email Out of the User That Is Updating It in Laravel

Detect In-App Browser (Webview) with PHP/Javascript

Document Root PHP

Fetching Mail from a Pop3 Server Using PHP

How to Post Button Value to PHP


Leave a reply



Submit