PHP Sharing sessions between multiple domains
Hi All,
Some time ago I posted an article on what it would involve to share a session across different domains. I have since then had a lot of interest in having a look at a means of implementing the solution. It has been quite some time since I looked at the original solution (some 2 years ago) and I am posting the code free for all to use and to hopefully aid others in working on their solution for their projects.
Implementation
I use a majority of the time a MVC approach to my websites, namely following an Apache Struts implementation of which I hope to write more about in the next year. For this I am diverting all my requests through a single gateway that has configurations mapping to actions. As part of the framework I can modify the request processor or the boot process to handle session logic centrally for all requests.
The solution I was talking about would use one central server as an ‘issuing’ server, and then all of the sub-sites (or other sites wishing to also share the session from across different domains) would request the session ID from this issuing server by redirecting to it instead of starting their own servers. The issuing server would then return the user to the original sub-site with a KEY to use to locate the session ID it should use, then the sub-sites would resume the session.
For this to work properly you would have to first centralise the database sessions, into a database is how my solution works (using ADODB at the time, these days I prefer PDO, but would be easy to rewrite). You would need 2 main components, one being the session handlers that operate on the sub-sites and the issuing script that operates on the issuing server.
In this example I assume you have a domain sub-site called ‘mysubsitedomain.com’ and will use ‘mycentraldomain.com’ as the issuing server.
You need two files:
- DistributedSessionWrapper.php
- issueSessionId.php
Get the ZIP file here: http://cameronmanderson.clientstage.com.au/multiple-domain-sessions/multiple-session-example_v_1_0.zip
Add to the sub-site ‘mysubsitedomain.com’:
// Get a connection to the database
$adodb = & ADONewConnection(’mysql’);
$connection = $adodb->PConnect($_db_host, $_db_user, $_db_password, $_db_name);
if(!$connection) trigger_error(’Database not available’, E_USER_ERROR);// Pass it to the session wrapper
$session =& DistributedSessionWrapper::getInstance();
$session->sessionInit($adodb, ‘http://www.mycentraldomain.com/issueSessionId.php‘);
And then on the central domain ‘mycentraldomain.com’ setup the script issueSessionId.php
When a member hits mysubsitedomain.com and has the distributed session wrapper running it will redirect the request through to the issueSessionId script, which will then bounce the user back to mysubsitedomain.com with a lookup key to find the session ID that both scripts will agree to use [on different domains, but both will have a cookie configured with the same session ID].
Downfalls
There are some downfalls or challenges that I thought necessary to be expanded on my suggested code. Namely it is the requirement of expiring the session or regenerating a session ID and having it spawn across all the other servers. Theoretically we could use the current session with some flags identifying that the session has now expired or moved to another identifier. This would therefore require the sub-sites session handler to identify when they are using an expired session and change the session ID that it is using (or re-request a new one). There may be some downfalls with how we can run sessions, first looking at one session and then looking at another session.. but this may be done with a new request.
Also the redirect assumes that you can forward through the request to be resumed on the other servers. The problem with this is that it is currently passing through the request URI - which will only contain GET variables. This is a limitation I guess needs a bit of a work around, and may involve some additional communication between the scripts (or packaging of the post request to be resumed, maybe serialised temporarily?).
Also I wrote this script almost 2 years ago, so I probably should revisit it to work on the logic more. Maybe looking at the additional identification of no cookie support etc would help.
Hopefully it is useful for someone to look at and be inspired into their own solution. Please email me at cameronmanders[-at-]gmail.com with your solution.
Cheers
Cameron
