What's the best way to maintain sessions on two domains?

Hi, gregerly.
Quick thought: you may want to store the sessions in a db that has access from both domains and link the session id with the logged in user, so when the user logs in, you can redirect the user to a remote script on the other site of yours passing the session id in GET, the remote script assigns the session id so all the data will be instantly available for this second domain and then redirect the user back. This will not create a step in the browser's history, though I don't know about the security concerns... is just what I came up with right now.

Kind regards

@xNephilimx

Someone would be able to listen on the TCP traffic and pick up the session ID in the URL. And Voila! someone has access to that session at the new site.

This question was also asked a while back:


The solution was to use a hidden iFrame that logs you into the second site when the user logs in to the first site.

I personally stay away from iFrames, but that's for another reason.



Dan

Great, thanks for the info!
I thought about iframes too, but but that's like a doing CSRF to your own site... lol.
Maybe saving certain user data, like a hash of ip+browser+some thing else server-side (plus a timeout of some sort?), so you can compare if the session id request came from the same user, but that won't make it 100% sure that is the same user.

In the company I work, this is done for a couple of sites we own, but it's done in perl, and that's not my area of expertise so I can't just peak the code and figure it out XD.