>>All ya gotta do is have three invisible GIFs on all three sites that come
>>from the *other* sites and the GIF does the set_cookie() of whatever their
>>user ID is.
>
>I'm not sure where you got this idea, but you should investigate
>further. A banner ad is usually nothing more than an image, and your
>browser will make a complete separate HTTP GET request for that image.
I'm not sure how you interpreted the above paragraph, but it clearly is not
what I intended.
If you control all three domains, or have some access to put code on them,
you can use the images to send the right Cookies from all three domains to
'synchronize' them by embedding the current site's session_id() in the
request from the 'other' sites, and have the 'other' sites send the Cookies
required with the image.
Each site has three IMG SRC=xxx that are requesting GIFs from the other
sites.
The request for the GIF has, in the GET data, the Cookie value you want to
use.
The servers simply spew out the same Cookie value as the "original" server,
and now they all refer to the same user in a shared database.
>When that is the case, there is no way the remote site can read or write
>cookies outside of its own domain. They can set cookies from their own
>domain, and you might see the cookies warnings on the same "page" or
>whatever, but the domains will definitely be different.
Okay, let me spell it out, since at least some readers are obviously not
"getting" it.
Assumption #1.
You have access to *some* code on all three servers, and want to maintain
the Session ID "the same" across all three.
I believe that was the original poster's thesis -- They simply didn't want
to rip apart all the rest of the HTML on all three sites, but could
painlessly insert a few lines of code at the top of all three site's pages.
If, on all three sites, you can auto_prepend (or include) the following
code:
<?php
session_start();
$session_id = session_id();
echo "<IMG SRC=server1.com/session.jpg?session_id=$session_id>\n";
echo "<IMG SRC=server2.com/session.jpg?session_id=$session_id>\n";
echo "<IMG SRC=server3.com/session.jpg?session_id=$session_id>\n";
?>
Then, on all three servers, have the file session.jpg.
<?php
setCookie('PHPSESSIONID', $session_id);
header("Content-type: image/jpg");
readfile('images/invisible.jpg');
?>
You can effectively get the 'same' Cookie sent from all three sites.
NOTES:
I probably do not have the name of the Cookie variable, PHPSESSIONDID,
correct.
You may want to write cleaner code with more error-checking. :-) And add
the Content-length.
You'll also need to ForceType session.jpg to be PHP, not JPEG, or rename it
session_jpg.php or something to make the code get executed.
If a user is browsing with no Images, or uses Lynx, it ain't gonna work,
because they'll never request the Image that transfers the Cookie values
from site-to-site.
Obviously, the Session Cookie can now be hijacked more easily, since you are
accepting the value from the Internet. You will want to consider this very
carefully, and insert cross-checks that somebody doesn't 'create' an account
simply by presenting a request to all three servers with their own
home-brewed session ID. It might be best to only GET the GIFs from the
'other' two servers on each server, and cross-check with the original
server's data somehow that the account is valid. If you even care. If
Cookies are simply used to identify the user as the same user, and there's
no particularly "private" content nor user-customization happening, there's
not much point. Only you and your application can determine this. Think
the security implications through fully. If you're not 100% sure you'll
never ever use the Cookie ID for anything more than "convenience" as they
travel site-to-site, then you'd better be sure it's not a forgery.
If a user's ID/Session Cookie every changes, you *MUST* re-issue the same
Cookie on all three servers, or you'll get hopelessly out-of-sync. You may
want to use the customized session storage handlers just to be sure you
track this correctly. Search the PHP manual for something not unlike
session_set_handler and you'll find the function I'm talking about.
--
Like Music? http://l-i-e.com/artists.htm
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
