4

I have hosted 2 website, these two website use same database to populate data. eg: users - table has user login details, both website users can access their login via this table.

Now I want to do this:

Before access both website they need to login.

My "Website A" has link call "Read More" when user click on it, that user should be redirect to "Website B". Now I want to skip "Login" process from B website(because that user already loged in A). How to do that,

I got mind this option, but less security:

  1. A website read more link as

B_website/?username=abc&password=123&page=12

I guess this is not good option, what are the ways i can do this with keep high security?

user3099298
  • 2,585
  • 7
  • 26
  • 56
  • You could send the data with POST request using cURL. Example: http://stackoverflow.com/questions/2138527/php-curl-http-post-sample-code – lukadante3 Nov 30 '14 at 11:03
  • 1
    Have a look at the [OAuth](http://oauth.net/) ([2](http://oauth.net/2/)) protocol :) – Jasper N. Brouwer Dec 04 '14 at 08:31
  • Are the 2 websites under the same primary domain? For example, sitea.mysite.com vs. siteb.mysite.com. – ventaur Dec 09 '14 at 02:53
  • Generate token on site A, and forward with link to site B, site B then validates token and logs user in. See this answer for better description http://stackoverflow.com/questions/7244285/redirection-and-session-data-transfer-to-another-server-domain-after-login – Lex Dec 09 '14 at 10:53

10 Answers10

25

No no no - do not pass the username + password in plain text in the URL!

I would recommend taking a look at how you know that the user is logged in on site A. Is there some sort of flag in your database marking this user as logged in? Could site B somehow be aware of this flag? Since your two sites share a database, this would definitely be possible.

Consider the following scenario:

  1. User logs into site A.
    • A unique "login token" is generated, saved in your database and also sent to the client.
  2. User arrives at site B.
    • The user sends the "login token" they previously recieved to the server.

If the login token sent by the user matches the record in the database you can skip the authentication phase and mark that user as logged into site B.

Lix
  • 45,171
  • 10
  • 95
  • 118
1

Server sessions are basically hand-designed to solve this problem. If your websites already access the same database you can utilize a PHP built-in feature, which is to create a session_handler that opens a database connection and stores your session in a database table.

I am personally a big fan of Symfony's HttpFoundation (see below). However, you can do this natively without relying on any outside libraries.

Start by creating a table (this is a MySQL table, but it should be pretty easy to adapt this:

CREATE TABLE sessions (
    sess_id VARBINARY(128) NOT NULL,
    data BLOB NOT NULL,
    sess_expires int(11) UNSIGNED NOT NULL
) COLLATE utf8_bin, Engine=InnoDB;

Next, create a session handler session_set_save_handler(), as per PHP Documentation. Create callable functions, and assign each function like so:

Open

Create the database connection.

Close

Closes the database connection.

Read

Retrieves session from the database.

Write

Stores session in the database.

Destroy

Destroys the session.

Clean

Cleans old session data based on your system settings.

Here are some different implementations. They all should work so whichever one you find most attractive can be used as a base. Once you settle on your style, you simply copy the code in each of your client sites and it will pull a shared session!

A tutorial by Chris Shiflett is probably the most basic and accessible if you are unfamiliar with much of how this sort of thing would work.

DevShed has an object oriented approach which can probably be copied and pasted for the most part. They also do a good job explaining how to use the session in other places.

HttpFoundation - Uses locking and other mechanisms and is pretty much get-up-and-go. If you follow object oriented programming and are familiar or interested in Composer, this is an absolute breeze to get set up.

Community
  • 1
  • 1
smcjones
  • 4,921
  • 1
  • 20
  • 36
1

If you store the login via PHP builtin sessions and both websites use the same session_save_path, then this is quite simple to achieve. Just Pass the session id as parameter SID inside the URL. The session from Website A should then be picked up by Website B and as the user Base is shared, the session can just continue on the other website.

The read more link should be generated something like this:

<a href="B_website/?page=12&SID=<?php echo session_id() ?>">Read more...</a>

If you manually store some kind of sessionID in a cookie, you have different options. Either you always set the cookies for the domains of both websites when logging in. Like this the user is autamatically logged in on both websites, no matter on which of the two he logged in.

setcookie("SESSIONID", $session_id, time() + 86400, "/", $domain_A);
setcookie("SESSIONID", $session_id, time() + 86400, "/", $domain_B);

Another way would be to make the more link on Website A point to a special page on Website A which would then set the necessary cookie to be logged in on Website B and then do a Redirect (via 302 Header) to Website B. The link would look like:

A_website/redirect_B.php?page=12

redirect_B.php would do the work then:

setcookie("SESSIONID", $session_id, time() + 86400, "/", $domain_B);
header("Location: B_website/?page=12", true, 302);

The best method to pass the session to the other server depends on how you implemented the login. With more details about how you manage the login sessions, it would be possible to give a more precise answer.

JHoffmann
  • 693
  • 8
  • 17
1

The most secure way is to use Single Sign On through SAML.

Saurabh Kr. Singh
  • 31
  • 4
1

You should use token based security i.e. when user enters his credentials in website A then website A returns a access-token,then by using this token you can validate user on both websites i.e. send access-token with every request.

This is basically how social-site login works,they also provide access-token and this is called auth protocol.

Ankit Gupta
  • 2,135
  • 2
  • 12
  • 23
0

You can send through AJAX authentication data from the website "A" to the web "B" when you click on the "Read more" button: after it, you check if these data are correct. If so redirect to the page "B" (You could do this through an ajax response)

   $.ajax({
        type: 'post',
        url: 'b.php',
        data: userauth,
        error: function(errors) {
            console.error(errors);
        },
        complete: function(data) {
            if(data=="correct"){ /*redirect*/ }else{ /*nothing*/ }
        }
    });

I think that would be an option...

¡Regards!

MartaGom
  • 491
  • 6
  • 27
0

Best way that i would suggesgt:

1: Every time user logs in a seesion id is generated now user below table structure

uname | password | seesion id     | user ip address  |isloogenid
a      pwd1      sessionidcreated  user looged in ip

is all paramerts are same login in user otherwise no

$seesionifdromdb
$ipfromdb
$userloggedinfromdb

$currentipwheresiteisopened
$valeofphpsessionif

if(($seesionifdromdb == $valeofphpsessionif) && ($ipfromdb == $currentipwheresiteisopened) && ($userloggedinfromdb==1)){
    // here start session neede to make user logged in
}
mydeve
  • 513
  • 12
  • 35
0

As per your situation lets have a logical view. sites:"Website A","website B"

Let have the general login flow If a user login to a "Website A" or "Website B",then a session will be created for that user with some session Id and some custom session variables that you will set-up to keep the user logged in to throughout the website

eg: $_SESSION['user_id'] = {some id from database};
    $_SESSION['prefered_language_code']='eng';
    $_SESSION['user_name'] = 'abc';

Then you are checking biapasing the login process till these variables are available in the session

eg:function checkSession(){
            if($_SESSION['user_id']!=''){
                 return true;}
            else{return false;}
     }
    on the other pages of both website
  if(checkSession()){
     return true;
  }else{
  //send to login page of website A or Website B respectively;
  }

Something like this function you are using to check the user access for the rest of the web pages.when he log's out then you must be destroying that session variable.

So now the answer to your question is: 1)As you are managing two website and as per your comment i.e "Now I want to skip "Login" process from B website(because that user already loged in A)" it means in both the case login credentials for the user should be same.Now the solution is to achieve desired situation you should follow the same login process with same session variables (only those which are used to check login status of the user) and login checkin in both the website i.e "website A and Website B".

Then they seems to be two different websites but logically the work as single one as they are sharing the login session variable.It means if a user login in to one site then logically he is by passing the login process of other website.

2)You can set some login track field type in database to keep the track of user login 

 eg:loggin_token; comment some uniquely generated key or login_key

and sets these with some session variable

Now you can check the session for the session variable to keep a login check on both sites

Hope this will help as it is the most simple way to manage these

shaishaw
  • 156
  • 3
0

Ignore any advice sending the password.

Lix' answer with the one time token is a valid approach. If you don't want to bother with an implementation you might be interested in existing single sign-on implementations.

Markus Malkusch
  • 7,201
  • 35
  • 61
0

You must use techniques like SAML or Open ID for this.

https://github.com/onelogin/php-saml

https://github.com/openid/php-openid

abhiklpm
  • 1,495
  • 1
  • 13
  • 20