homepage Welcome to WebmasterWorld Guest from 54.81.170.186
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Website
Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Transferring session data from one server to another
I want to pass users between servers
grahamstewart




msg:1308492
 12:27 am on Apr 15, 2003 (gmt 0)

I am writing a site that requires user authentication. I have an SSL server avaiable to me that I would like to be able to use for the login form (to avoid password sniffing). but I can't quite figure out how to go about it.


The sequence of events I am imagining is...

1. User views normal site on server A

2. User follows a link to a page that requires him to be logged on.

3. PHP on the protected page discovers he is not logged on and redirects him to a login form on server B, the secure SSL server.

3. User completes login form and gets redirected back to the protected page on server A.

4. The protected page now lets him view its contents.


The problem is how do I let server A know that the user successfully logged in on server B? :o

They have different hosts, so I don't think I can use sessions. And cookies would be way to insecure.

Any suggestions?

 

DrDoc




msg:1308493
 12:41 am on Apr 15, 2003 (gmt 0)

Well, if you're using your own session_save_handler you can always use a database on server A... Just let the script on server B log in on server A, and store the info in the database. Then you can just pass the session ID in the URL...

grahamstewart




msg:1308494
 12:50 am on Apr 15, 2003 (gmt 0)

Not a bad idea :)

I'm a bit concerned about passing the session handle in the url though. Won't anyone who types in the same url be able to hijack the session?

Still I could pass the handle as POST data instead I suppose.

Got any good library examples of a mySql based session_save_handler?

DrDoc




msg:1308495
 1:22 am on Apr 15, 2003 (gmt 0)

We don't have any here at WebmasterWorld, as far as I know. There are several examples on the net, but they've all seemed to have some issues. So, here's what I use. Change the bold to whatever your settings/preferences are.


<?php
session_set_save_handler("SessionStart", "SessionEnd", "SessionRead", "SessionWrite", "SessionDestroy", "SessionGarbageCollect");

$id = session_id();
$lifetime = get_cfg_var("session.gc_maxlifetime");

function SessionStart($session_save_path,$session_name) {
mysql_pconnect("host","username","password") or die("Can't connect to MySQL server!");
mysql_select_db("database") or die("Can't select MySQL sessions database");
}

function SessionEnd() {
return 1;
}

function SessionRead($id) {
$result = mysql_query("SELECT data FROM sessions WHERE sessionid='".session_id()."' AND expires>".time());

if($result && mysql_num_rows($result)) {
$var = mysql_fetch_row($result);
$temp = $var[0];
return $temp;
}

else {
global $whatever;
global $lifetime;
$expires = time()+$lifetime;
$result = mysql_query("INSERT INTO sessions (sessionid,expires,data) VALUES('".session_id()."','$expires','$whatever')");
return "";
}

}

function SessionWrite($id,$whatever) {
global $lifetime;
$expires = time()+$lifetime;
$result = mysql_query("UPDATE sessions SET expires='$expires',data='$whatever' WHERE sessionid='".session_id()."' AND expires>".time());
}

function SessionDestroy($id) {
$result = mysql_query("DELETE FROM sessions WHERE sessionid='".session_id()."'");
}

function SessionGarbageCollect($lifetime) {
$result = mysql_query("DELETE FROM sessions WHERE expires<".time());
}
?>



The variable name $whatever should be something that is hard for others to guess, but makes sense to you.

You'll have to do this to decode the session variables on subsequent pages:

session_start();
session_decode($temp);

As far as table structure, this works for me:

sessionid - varchar(32), primary key
expires - int(11)
data - text

DrDoc




msg:1308496
 1:27 am on Apr 15, 2003 (gmt 0)

Actually, you should be able to use it without sessions too (even though that would be less safe) by just using
include to grab the page from server A
grahamstewart




msg:1308497
 1:59 am on Apr 15, 2003 (gmt 0)

Nice one, thanks for the code Doc. :)

Not sure if I want to go down this road or not though. Seems an overly complex solution somehow.

just using include to grab the page from server A

Yeah that would be the easiest solution... but (there is always a 'but' isn't there?) server B is a shared server with a shared server certificate and a common url.

i.e. The urls look like https:/secure.acommerceserver.com/my_username/ rather than http:/www.my_username.com

So the resulting pages would have ugly, off-site urls. Which would no doubt confuse my users (who are non-technical doctor types).

DrDoc




msg:1308498
 2:28 am on Apr 15, 2003 (gmt 0)

Well, once the session handling is set up it takes care of itself :)

As for ugly URL, why not have the first page on server A redirect?

header("Location: whatever.html");

grifter




msg:1308499
 2:50 am on Apr 15, 2003 (gmt 0)

Echoing DrDoc, using header(), you could choose to do a double-redirect to clean up the URL once the user is returned to A.

Not 100% sure, but with redirects, you might get those pesky "you are being taken to/from a secure site" messages.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved