how to keep track of the session ID across domains

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hi all,

We have about 10 different domains that are linked very closely and we
want to identify and keep track of every single user that surfs our
websites by the use of sessions.

The problem is how to keep track of the session ID across domains.

- cookies don't work because not acepted by 40 % of or users and
cookies don't work across domains
- passing of the PHPSESSID over a from is molesting because all links
have to be forms
- automatic passing in links by the use of trans_id doesn't work. all
links have to be relative. this is not possibe when the link is on
another domain
- manual passing of the PHPSESSID would work but is a pain in the butt
since all of the links have to be altered manually in thousands of php

Or domains are located on the same instance of the apache server and
the 4th method would work well.

Maybe a trick would work out well.
I have been trying to include a php logger file (located in the main
domain directory) in the footer of all of our sites where the session
is started and data is logged.
The result were different Session IDs even for websites on the same

Maybe also a manual session.save_handler (in php.ini) would help.

The things are quite a bit complicated and I would apreciate your help
very much.


Re: how to keep track of the session ID across domains wrote:

Quoted text here. Click to load it

You're fighting a losing battle: it's a key security feature of a web
browser that information provided by one website is not visible by another
unless explicitly passed in a POST/GET. Some of the answers you could come
up with may undermine this behaviour - if so, they will not be portable
across browsers and are likely to be fixed in future.

Quoted text here. Click to load it

So if your customers won't even trust cookies, they are unlikely to want to
install a custom client certificate.

Quoted text here. Click to load it
....this looks the most viable solution. Why would they need to be latered
manually? You could script any changes to HREF='...' and flag up any
'<FORM>', 'header(' and 'location=' for manual processing.

An alternative solution might be to put all the sites behind a frame, & use
javascript cookies from the inner and outer pages, then use a two phase
move to another site (on arrival, php sees no session id, includes
javascript to query outer frame for sessionid and sets cookie then do a
frame-bust to a frameset page hosted on the 'local' domain, when PHP
generates the resultant inner page, it *has* a sessionid, so it includes
javascript to update the sessionid into the frame). That's kind of messy
though and might not be workable.

Quoted text here. Click to load it

Are you sure? I've found the sessions thing to be very reliable, although it
is quite easy to ^&%$ it up from your own code. How can you tell that
you've assigned a new session ID server-side? You can't discriminate on the
basis of client IP address, or the headers sent by the browser.


Site Timeline