how to keep track of the session ID across domains

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • d.schulz81@gmx.net
    #1

    how to keep track of the session ID across domains

    Hi all,

    We have about 10 different domains that are linked very closely and we
    want to identify and keep track of every single user that surfs our
    websites by the use of sessions.

    The problem is how to keep track of the session ID across domains.

    - cookies don't work because not acepted by 40 % of or users and
    cookies don't work across domains
    - passing of the PHPSESSID over a from is molesting because all links
    have to be forms
    - automatic passing in links by the use of trans_id doesn't work. all
    links have to be relative. this is not possibe when the link is on
    another domain
    - manual passing of the PHPSESSID would work but is a pain in the butt
    since all of the links have to be altered manually in thousands of php
    files.

    Or domains are located on the same instance of the apache server and
    the 4th method would work well.

    Maybe a trick would work out well.
    I have been trying to include a php logger file (located in the main
    domain directory) in the footer of all of our sites where the session
    is started and data is logged.
    The result were different Session IDs even for websites on the same
    domain....

    Maybe also a manual session.save_ha ndler (in php.ini) would help.



    The things are quite a bit complicated and I would apreciate your help
    very much.

    Dennis

    Tags: None
    • Colin McKinnon
      #2
      Re: how to keep track of the session ID across domains

      d.schulz81@gmx. net wrote:
      [color=blue]
      > Hi all,
      >
      > We have about 10 different domains that are linked very closely and we
      > want to identify and keep track of every single user that surfs our
      > websites by the use of sessions.
      >[/color]

      You're fighting a losing battle: it's a key security feature of a web
      browser that information provided by one website is not visible by another
      unless explicitly passed in a POST/GET. Some of the answers you could come
      up with may undermine this behaviour - if so, they will not be portable
      across browsers and are likely to be fixed in future.
      [color=blue]
      > The problem is how to keep track of the session ID across domains.
      >
      > - cookies don't work because not acepted by 40 % of or users and
      > cookies don't work across domains[/color]

      So if your customers won't even trust cookies, they are unlikely to want to
      install a custom client certificate.
      [color=blue]
      > - manual passing of the PHPSESSID would work but is a pain in the butt
      > since all of the links have to be altered manually in thousands of php
      > files.
      >[/color]
      ....this looks the most viable solution. Why would they need to be latered
      manually? You could script any changes to HREF='...' and flag up any
      '<FORM>', 'header(' and 'location=' for manual processing.

      An alternative solution might be to put all the sites behind a frame, & use
      javascript cookies from the inner and outer pages, then use a two phase
      move to another site (on arrival, php sees no session id, includes
      javascript to query outer frame for sessionid and sets cookie then do a
      frame-bust to a frameset page hosted on the 'local' domain, when PHP
      generates the resultant inner page, it *has* a sessionid, so it includes
      javascript to update the sessionid into the frame). That's kind of messy
      though and might not be workable.
      [color=blue]
      > Maybe a trick would work out well.
      > I have been trying to include a php logger file (located in the main
      > domain directory) in the footer of all of our sites where the session
      > is started and data is logged.
      > The result were different Session IDs even for websites on the same
      > domain....
      >[/color]

      Are you sure? I've found the sessions thing to be very reliable, although it
      is quite easy to ^&%$ it up from your own code. How can you tell that
      you've assigned a new session ID server-side? You can't discriminate on the
      basis of client IP address, or the headers sent by the browser.

      C.

        Comment

        Previous template Next
        Working...