Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
June 14, 2005, 9:16 pm
rate this thread
We have about 10 different domains that are linked very closely and we
want to identify and keep track of every single user that surfs our
websites by the use of sessions.
The problem is how to keep track of the session ID across domains.
- cookies don't work because not acepted by 40 % of or users and
cookies don't work across domains
- passing of the PHPSESSID over a from is molesting because all links
have to be forms
- automatic passing in links by the use of trans_id doesn't work. all
links have to be relative. this is not possibe when the link is on
- manual passing of the PHPSESSID would work but is a pain in the butt
since all of the links have to be altered manually in thousands of php
Or domains are located on the same instance of the apache server and
the 4th method would work well.
Maybe a trick would work out well.
I have been trying to include a php logger file (located in the main
domain directory) in the footer of all of our sites where the session
is started and data is logged.
The result were different Session IDs even for websites on the same
Maybe also a manual session.save_handler (in php.ini) would help.
The things are quite a bit complicated and I would apreciate your help
Re: how to keep track of the session ID across domains
You're fighting a losing battle: it's a key security feature of a web
browser that information provided by one website is not visible by another
unless explicitly passed in a POST/GET. Some of the answers you could come
up with may undermine this behaviour - if so, they will not be portable
across browsers and are likely to be fixed in future.
So if your customers won't even trust cookies, they are unlikely to want to
install a custom client certificate.
....this looks the most viable solution. Why would they need to be latered
manually? You could script any changes to HREF='...' and flag up any
'<FORM>', 'header(' and 'location=' for manual processing.
An alternative solution might be to put all the sites behind a frame, & use
move to another site (on arrival, php sees no session id, includes
frame-bust to a frameset page hosted on the 'local' domain, when PHP
generates the resultant inner page, it *has* a sessionid, so it includes
though and might not be workable.
Are you sure? I've found the sessions thing to be very reliable, although it
is quite easy to ^&%$ it up from your own code. How can you tell that
you've assigned a new session ID server-side? You can't discriminate on the
basis of client IP address, or the headers sent by the browser.