maintain their session state across multiple domains. I'm not talking
about subdomains (i.e. tertiary1.domain.com and tertiary2.domain.com),
but two explicitly different domains altogether (i.e. www.mydomain.com
and secure.your-domain.net, etc.). I've done a fair amount of research
and have decided on the following method:
- Use database sessions (obviously)
- Pass the session id from one domain to another via POST
- Use a controller action to manually POST the session id to the other
domain (to avoid using a hidden form field)
- The POST will take place via an SSL connection
- On the receiving server, simply read the POSTed session id and set
it, thus restoring the session for that user
I'm asking if this is a safe, secure and reliable method for
maintaining session state across domains? It makes sense in my mind
but I may be missing something. This method should prevent the session
id from EVER being readable by anyone other than the sending and
receiving domains (especially since I'm passing via SSL).
This should prevent log file tracking of the session id from passing
via GET (since I'm not using GET), no caching of the hidden form field
on the user's browser, and no hijacking of the session unless someone
creates their own form, guesses an active session id, and then POSTs
to the receiving server. However, I can perform additional checks on
the receiving server to make sure it's the same user (verify user
agent [Cake does this automagically], and verify IP).
Just wanted to get some feedback, criticism and/or support before I
implement this in my app. Thanks for reading!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment