PHP Shared Sessions across Domain

2019-02-13 11:36发布

问题:

I have seen a few answers to this on SOF but most of these are concerned with the use of subdomains, of which none have worked for me. The common one being that the use of session.cookie_domain, which from my understanding will only work with subdomains.

I am interested in a solution that deals with deals with entirely different domains (and includes the possibility of subdomains). Unfortunately project deadlines being what they are, time is not on my side, so I turn to SOF's expertise and experience.

The current project brief is to be able to log into one site which currently only stores the user_id in the session and then be able to retrieve this value while on a different domain within the same server enviroment. Session data is being stored/retrieved from a database where the session id is the primary key.

I am hoping to find a "light wieght" and "easy" to implement solution.

The system is utlising an in-house Model View Controller design pattern, so all requests (including different domains) are run through a single bootstrap script. Using the domain name as a variable, this determines what context to display to the user.

One option that did look like to have potential is the use of a hidden image and using the alt tag to set the user id. My first impressions suggest this immediately seems "too easy" (if possible) and riddled with security flaws. Disscuss?

Another option which I considered is using the IP and User Agent for authentication but again I feel this not going to be a reliable option due to shared networks and changing IP addresses.

My third option (and preferred) which I considered and as yet not seen discussed is using htaccess to fool the user into thinking that they are on a different domain when infact apache is redirecting; something like

www.foo.com/index.php?domain=bar.com&controller=news/categoires/1
but displays to the user as
www.bar.com/news/categories/1

foo.com represents the "main site domain" which all requests are run through and bar.com is what the user thinks they are accessing. The controller request dictates the page and view being requested. Is this possible?

Are there other options? Pros/Cons?

Thanks in advance!!!

回答1:

Have you thought about using session_set_save_handler. You can store your sessions in a database and access them from any domain.



回答2:

  1. Define a main session server (I do this in combination with memcached)

  2. use Ajax / JSON(P) to request a session from this server, this allows you to share sessions over multiple domains

  3. Reuse this session



回答3:

For the benefit for anyone else interested in this functionality, there is no simple answer I am afraid. Google "Single Sign On" and it will come back with the technology and some solutions avialable.

As for using htaccess to hide the domain name, this is not possible as it could be used for malicious activities.

I have now successfully implemented a system to achive my requirements.