Share Session Between Two Websites

Share Session Between Two Websites

Urk. First off, never, EVER do this:

$session_id = $_REQUEST['session_id'];  

This causes a security truck-hole we refer to as 'session fixation' ( read more: http://en.wikipedia.org/wiki/Session_fixation ).

It seems you're pretty heavy on security. If you need to share data from site 1 to site 2, you should do it through a single consumption bridge:

1). Click on a link on Site 1 to a handler file, let's call it redir.php.

2). Redir.php first checks the existing session data.

3). Redir.php writes relevant info into a DB row, along with some sort of identifier (say, an MD5 hash of the user ID + '_'+ current time), plus a 'consumed' flag, set false.

4). Redir.php does a 301 redirect to Site 2, along with the identifier.

5). Site 2 reads the relevant row out of the DB.

6). If the data is good and has not yet been 'consumed', return a success and mark the data as consumed.

7). If the data has been consumed, throw some sort of error.

There are more complex ways of doing this, but I think this handles what you're trying to do.

Sharing session between two different web browser

Theoretically, you could do this using session_id() and a database entry, although security will be tricky since a malicious user could try generating random session IDs to mimic a logged-on user's session.

Session information is stored in a cookie in the client's browser, with a specified ID. By storing that ID and a JSON string of the data, whenever it's updated, various users could conceivably share the same data. They'd all have to poll the server once in a while to see if the data has been changed.

But at that point, you don't need to use $_SESSION anymore, so it's pretty much defeated the purpose of your question. You can get the same behavior with regular variables, which would already be a security improvement.

---

Short answer: No, that's not the point of sessions.

Share session between two websites in ASP.NET MVC

Based on your description, I think what you are talking about is Single sign-on (SSO). SSO is a session/user authentication process that permits a user to enter one name and password in order to access multiple applications. The process authenticates the user for all the applications they have been given rights to and eliminates further prompts when they switch applications.

Can anyone explain how it works on dotNET Stack?

To implement SSO, you need to create a shared authentication server or use a exist shared authentication providers(ex Microsoft/Google). Here are some examples of implement SSO using ASP.NET.

Basics of Single Sign on (SSO)

Using OAuth Providers with ASP.NET MVC 4

Introducing Single Sign-on to an existing ASP.NET MVC application

PHP - Sharing session between multiple subdomains

Problem found:

My subdomains are on different apache servers so sessions vars can't be shared. I'll use database storage with unique vars in cookies to share my variables.

How to access same Session in two websites?

You cannot cross the app domain with built in asp.net session for good security reasons.

What you are looking for is a single sign on system. This means you'd only have to sign on once but you'd after switching between apps you might have to reload that app's session from db if it isn't there. This can be done as you have their identity from the sign on.

Share Session between two web sites using asp.net and state server

You'll need a way to convince your browser to send the same ASP.NET session cookie regardless of which site it visits.

If the cookie isn't present on the request, then a new session will get created with that key.

I think you can get the browser to retain the key with some sneaky DNS configs - if you assign http://website1.mydomain.com/ and http://website2.domain.com/ to be the addresses of your sites, then set the domain of the ASP.NET session cookie to "domain.com", then your browser will send it to both sites and the session should be shared.

You may also be able to use cookieless mode with ASP.NET, and grab the session ID from the generated URLs.

---

Related Topics