Asked  7 Months ago    Answers:  5   Viewed   31 times

I need to share SSO information between two different domains with a cookie, can this be done in PHP and how?

 Answers

47

On both domains, place an image or other web element that is pulled from the other domain. Use the URL to notify the other domain that user X is on domain A, and let domain B associate that user ID with that user on their system.

It's a little complex to carry out correctly, but if you think it through it'll work out very well.

Vinko points out in a comment (thanks!) that I shouldn't take it for granted that you understand the security risks involved. If this information is of any value to anyone, then you should make sure you use proper encryption, authentication, etc to avoid releasing sensitive information and to avoid various attacks (replay, man in the middle, etc). This shouldn't be too onerous since you control both websites and you can select a secure secret key for both, since the communication is only going between the two servers via this special URL. Keep it in mind though.

-Adam

Wednesday, March 31, 2021
 
PHPWDev
answered 7 Months ago
91

You're supposed to give a UNIX timestamp of when the cookie will expired (calculated since the epoch) as the third argument to the function call.

The time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

I suggest you read the documentation for setcookie.

Saturday, May 29, 2021
 
samayo
answered 5 Months ago
76

Make sure you have a domain that is known by both server and client. echo $_SERVER['HTTP_HOST'] should tell you the exact same domain that your browser has. If not, cookie will not be accepted by the browser.

Make sure your server and client time is perfectly correct. Browser will reject a cookie with a wrong datetime.

Do not write any other code and just do:

<?php
$cookie_name = "user";
$cookie_value = "John Doe";
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day 
// expiration
echo date("H:i:s d.m.Y")."<br>";
echo $_SERVER['HTTP_HOST']."<br>";
var_dump($_COOKIE);
?>

and refresh the page twice.

Also check out manual at: https://www.php.net/manual/en/features.cookies.php

Saturday, May 29, 2021
 
mattltm
answered 5 Months ago
54

Okay, I found out after reading on the Mozilla Developer Network a bit more and trying out the credentials option.

Looks like the credentials option is what I should have looked for.

fetch('/something', { credentials: 'same-origin' }) // or 'include'

Will send the cookies.

Monday, August 9, 2021
 
RustyStatistician
answered 3 Months ago
68

The answer is to use --header="Cookie: --COOKIE_DATA--" (ref. wiki.wsmoak.net/cgi-bin/wiki.pl?Siege).

Sunday, October 10, 2021
 
braindamage
answered 1 Week ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :