Topic awaiting preservation: php multiple site login system - almost... (Page 1 of 1)

Hello everyone!

I have a website, (www.allthingsinteresting.com). On my site, there is a bunch of cool stull like games and classifieds.
I decided to move my classifieds website to it's own domain name (www.safarri.com), while still being hosted from the classifieds folder on my main website through the use of parked domains and a site engine that I wrote in php.

One of the features of my website is a universal login system. Login to one site on the "ATI Network", and you are logged in to all of 'em. The problem I have now run into is that, with my classifieds site being located at www.safarri.com, the session id cookies for the login system (which have allthingsinteresting.com as the host) aern't getting passed to my login script so it thinks the user isn't logged in...

Here are the steps I have taken to try to solve this:

1 - Tryed adding allthingsinteresting.com, safarri.com to the host address field of the session cookie. Didn't work because, as I later found out, cookies apparently don't support this syntax.
2 - Before each page loads, the script uses header(location to redirect to a site with allthingsinteresting.com in the domain name, store the session cookie contents in a variable, then redirect back to the intended page. - This might work, but it is quite tacky, and I'me sure search engines would completely ban my site (which would defeat the entire purpose).
3 - Use frames in some tricky way to accomplish the above example without redirects - given up because I couldn't figure out how to make this work.
4 - THE MOST PROBABLE - Disable the php session handlers build in cookie setting thing, and set several cookies manually, one for each domain name which will share the login. - I spent some time trying to get this to work, but finally gave up because I couldn't figure out how to set a cookie with a different domain parameter than the current url.

Therefore, Where I'me currently at, is trying to figure out how to set cookies with a different domain parameter than the currently vised page. Mabye it's something I'me doing wrong (hopefully), but whenever I call the setCookie() function and supply a different parameter for the domain field other than the currently viewed page, the cookie is never saved. Whether this happens on the client's side or the server side I haven't been able to find out, but the result is the same.
Example: Someone logs in at www.allthingsinteresting.com, and my script trys to send two cookies to the users browser. Ther are both identical, except for the domain parameter. The main difference between the two is that the one with the domain set to .allthingsinteresting.com gets set, and the .safarri.com one doesn't. Anyone know why?

Thank You!

-Robur

For security reasons, you can not set a cookie for another domain than the one currently visited.
PHP Sessions are esentially referenced by a cookie, and therefore don't pass across hosts either.

Option 3 is the only way I see. Basically, loading a central iframe, which in turn calls a javascript function in your main page, which then reloads the iframe with the session transfering code in your current domain.

here is an idea. im not sure if this works.

you could host all sites using subdomains and then use apaches mod_rewrite to access these subdomains using the top level domains.
with this you could set cookies on the top level domain of the subdomains.

could this work?

Tyberius prime:

Great idea, only now that you mentioned it, I realised that it can be taken even further, and be done wholly in php! Heres what I'm probably going to do:
Every page, when loading, will check if the session cookie is present for all networked websites. If it's not, the page will stick an invisible iframe at on itself which will keep refreshing (to dirrerent host addreses) and setting cookies untill all ATI network login cookies are set! The benifit of using this method is that I can just tell search engines to leave the iframe alone (with robots.txt), and then they will still like my site!

Thanks for giving me the idea!

I will report how it works out, but I think we've just solved the problem much more elegantly than has ever been done before!


Grumble:

I am actually already doing something kind of like that. All my sites are hosted from my www.allthingsinteresting.com domain name, just in different directories. For example, my classifieds website, Safarri, is actually loacted at www.allthingsinteresting.com/classifieds. When someone trys to visit any of my sites, I use mod_rewrite to redirect them to loadpage.php (my site engine), which sets up a bunch of stuff (url conversion, database abstraction libraris, global functions, ect), and then includes the page that the user requested.
So, basically, I could do that, but I don't really want to. I don't think my users would appreciate typing in www.classifieds.allthingsinteresting.com every time they want to visit a page
(On secont thought, it might get this forum a lot of new members

Thanks anyway!




-Aubrey

i mean you could use mod_rewrite to map www.classifieds.com to www.classifieds.allthingsinteresting.com

Grumble:

Actually, I am already doing something like that. The problem is that, when the browser sees www.safarri.com in the address bar, it won't accept cookies from www.allthingsinteresting.com

Thanks anyway,

-Robur

P.S. I am almost done writing the iframe refresh code!

Status Update:

While, when I said almost, I meant it in a figurative sort of way. It really was almost done, but then I thought "why am I using php's build in sessions in the first place?". Since I couldn't answer this question, I am now writinc the code to store a unique session for every page visitor in my site's database.

I can't wait to report success...

-Robur

usually, because it's a whole heck of a load easier than rolling your own sessions.

Well, I have come to see what you meant However, I'm REALLY almost finished this time, and wait till you see my new session manager in action!

It supports crossdomain logins, storing user prefrences in the database, and super easy updating of session variables!

-Robur

hey

i am having the same problem, but i ahve about 10 sub-domains and i want when i user enter his/her username and password it will automaically log the user to all of the domains

this was what i was trying to put in ma login page

include("http://$URL/login32.php?op=login&username=$username&password=$password");

for every domin

Do you think it will work?

PLEASE HELP ME

Everyone:

Sorry it took me SOOOO long to get back to you. I forgot about this thread! (sorry)....


Anyway, I successfully completed the login system! How I finally did it was, at the bottom of every page, I stuck an Iframe for each domiain I wanted to be able to share session data with. The iframes each refrenced a page that loaded a cookie and then died. Once the user's cookies were then loaded, It was relatively easy to check for the existence of a cookie, lookup the user's info from the database, and handle the rest! I don't mind giving out the code, but it relies on a lot of other functions written by me (you know how that goes ), so I don't know if it would help you too much. If anyone wants it, just ask

You can see the session management system in action at my websites (watch how sessions are preserved across domains):

http://www.allthingsinteresting.com
http://www.safarri.com

Thanks,

-Robur


AF_developer:

i'me sorry, but i didn't understand the

quote:

---

"include("http://$URL/login32.php?op=login&username=$username&password=$password");"

---

thing.

Anyway, i think what you want to do is set the session.cookie_domain config option to read ".{yourDomainName}.com" (the first dot is what makes the cookie viewable from subdomains.).

Resources which you might find helpful are:

http://us4.php.net/session (the php session manual)
http://us4.php.net/manual/en/function.session-set-cookie-params.php (the php session manual's section on cookies)

Thanks,

-Robur The Conqueror

Hey

Thanks For your reply, but i cant decide is Session better or Cookie

but i think your is better

af_developer:


I'm not sure you understand quite how this works.

In order to preserve session variables as the user visits different pages, php has a built in session handling function. The function works by setting cookies. All the data that the cookie contains is that user's "session id". That way, php can keep a flatfile database full of session data, with corresponding session id's. Whenever php sees a cookie with a session id in it, php loads that user's session data (such as username, password, email address, etc) from it's database and sets them up as superglobals to be used in the php script. Php's built in session handling functions are somewhat customizable, and the option I recommended before was customising the cookie that php's session handling function set, so that all the subdomains of your site could see it. (by default, only sites that set the cookie can view it, but there is a way to get subdomains of a site to see the cookie by adding a . (period) in front of the domain name of the cookie.)

What I have been working on, is writing my own session handling sytem. It has the obvious benifit of being completely customizable, with the con of being fairly difficult to set up.

Hope this clarify's some things,

-Robur MOW

Since your sites are hosted on the same server, could you also have passed the session id in the URL from page to page, Robur?

Yes, I could of, but that would been somewhat clunky.

For one, search engines would ban me, and for two, people couldn't tell their friends to visit a certain URL!
The most important part is search engines.

Thanks for your suggestion, though!

-Robur