Cross domain PHP Sessions

I am building a site which allows a user to point a CNAME record at my site to run their "profiles", this allows your OWN domain name to load your profile on my site.

This is raising all sorts of issues related to sessions. I have seen virb do it. I don't see any of the information that is session based in an iFrame... but there IS an iFrame present on the page.

I can get the domain stuff to work, I just lose session data... Any ideas?

(Here is an example --Links to Virb-- http://www.agentspider.com/ )


Solution 1:

You can't set cookies cross domain by default. I believe, you can set up a P3P file(s) to enable it. http://p3ptoolbox.org/guide/section4.shtml#IVd I haven't done this myself, so I don't know how much of the browsers implement it or if it even works that way.

Virb looks like it's just using JavaScript. It has an AJAX library, that makes a JSON-P request to the virb server if no session cookie is set. (first load of Firefox you can see this in Firebug) The JSON response just lets the page know if the user is logged in or not, and updates the portions of the page that need to reflect user status.

So what's happening is the page embeds some JS from virb.com. Since the domain is virb.com it cookies set to virb.com are sent to the server. The server then responds with the result of the cookie to the external site.

In the case of virb, which won't work properly without JS, I think thats a good option. However, you could do the same with HTTP Redirects.

If the HTTP Host is not the main domain (example.com):

if (!$_COOKIE['sessionid'] && $_SERVER['HTTP_HOST'] != 'example.com') {
// redirect to your main site
header('Location: http://example.com');
}

On the main site, set the cookie, and send the user back to the external domain (domain.com) passing the session id in the Location.

header('Location: http://domain.com.com?sessid='.urlencode($_COOKIE['sessionid']));

The final bit is to redirect back to the page you were on now that you have the same session going.

setCookie(...); // sessid in $_GET['sessid']
header('Location: http://domain.com/'); 

Note, in actuality you can send the page you're currently on back to example.com in the first step, so you can redirect back to it later.

Since you're just using headers (you don't need to output content) and in most cases HTTP/1.1 so you'll be on the same TCP socket I think it's pretty efficient and will be more supported then the JavaScript option.

Edit: don't forget to set the cookie when you get back to external domain.

Last step is optional but it keeps the sessid from being in a URL. Which is more of a security issue then keeping it in HTTP headers.

Solution 2:

The only way is to add session id-s to the url-s that go from one domain to another (or add that session id to the iframe src url), and then code your session storage backend to handle this.

Of course, you need to consider all the security issues that this approach brings along.

Solution 3:

Nothing more simple as:

1) create domain1.com/client.html with source:

<script type="text/javascript" src="domain2.com/server_set_cookie.php"></script> 2) create domain2.com/server_set_cookie.php with php source:

header("p3p: CP=ALL DSP COR PSAa PSDa OUR NOR ONL UNI COM NAV");

setcookie($_REQUEST['cookie_name'], 'cookie_name', time()+3600);

http://smartcoding.wordpress.com/2009/07/12/setcookie-cross-domain-cookie-write/