Cross domain cookie based session

Forum Moderators: phranque

Message Too Old, No Replies

Cross domain cookie based session

Anne3G

10:59 am on Oct 21, 2010 (gmt 0)

Hi,

I have multiple ecommerce websites having shared checkout & login system & all resources are also shared. I have pointed domain2 to domain1 using CNAME. IP addresses of both domains are different.

Issue is that session is not maintained across multiple domains. I want to setup as if someone login from www.domain1.com & browse other domain called www.domain2.com, login information should be available in www.domain2.com.

I put below code in .htaccess file of www.domain2.com but its not working.
<IfModule mod_php4.c>
php_value session.cookie_domain www.domain1.com
</IfModule>

I read so many forums & articles related to cross domain cookies but I cant find proper solution on how to implement it.

Urgent help is needed.

Thanks in advance.

Anne3G

10:35 am on Nov 3, 2010 (gmt 0)

Hi,

I have changed the CNAME things & now I have parked domain1.com & domain2.com at maindomain.com. I have setup store at maindomain.com & all source code & database resides at maindomain.com.

All 3 web sites runs fine as I wanted but 1 issue is still there. If I login at maindomain.com, It is not showing logged in domain1.com & domain2.com. I know that cookies & sessions are not available cross site. How can I achieve that?

I read so many things about single sign on for multiple sites. I cant find exact solution on how to implement it. I am using oscommerce v3.0 for my store.

Any help will be appreciated.

Anne

jdMorgan

5:44 pm on Nov 29, 2010 (gmt 0)

> cookies & sessions are not available cross site

Cookies by definition and for security, are visible only to the domain by which they are created. "Sessions" are defined by scripts based on a cookie, so really, your problem devolves to one of cookies.

Either install the cart for each domain and keep them separate (downside is cost and maintenance), put both sites on the same domain (downside is loss of branding and SEO to date), or proxy the two branded domains to a third domain that hosts the cart (downside is complexity, required grade of hosting and resultant cost).

You could also pass the cookie between sites as a GET parameter (query string). But this would 'expose' the session ID and likely lead to fraud problems.

However, consider the alternative: What if any site could read the cookies for any other site... A security nightmare!

Jim