I wonder if there's a way to tell TYPO3 to share the sessions / cookies between different domains?
We wrote an Extbase extension on a multi language / multi domain site.
We store search words from a search form in the user session. If the user switches the page language, he should get the same results as before - Without the need to re-fill the search form.
One way would be to tell the browser to store several cookies at the same time - one for each domain/language. How can this be achieved with TYPO3 / Extbase?
By default, there is no way to set cookies for a different domain - not with or without TYPO3. This is a security measure implemented in every browser (or do you want me to set / read your cookies from yourbank.com when you visit my web site? ;-))
You have to create some helper script that does this for you. One way could be:
example.com is loaded
this page includes an iframe to a PHP script (or TYPO3 site, e.g. with eID) on example.org with a GET parameter storing being the session id
the script loaded from example.org reads the GET parameter and sets a cookie with that session id (or whatever parameter you want to transfer).
afterwards the cookie is also available when browsing example.org
I have never tried this, but I'm pretty sure it will work with PHP. Maybe it's even possible with pure JavaScript, but I'm not so sure. In every case, think about what security holes you get with the explained script. In doubt sign the parameters (or require a token)!
Related
i've build a website that actually don't need cookies at all to work...
this just to avoid any problem dealing with european privacy laws, i really don't need any kind of user interaction at all on public part of pages then fully disabled cookies using this as a reference:
I would like to know how to disable cookies in Rails 5.1
now using development tools on browser, cookie store results empty and this was exactly what i was trying to do...
well, the site has a reserved area (this runs on a separated namespace)
is there a way to keep cookies disabled on 'public' part and make cookies work again inside 'reserved' namespace area??
i've tried to disable cookies inside single controllers (again using above link suggestions) without success!
only way to have cookie store empty was to operate a 'full disable' with modifications
on these files:
config\application.rb
config\intializers\session_store.rb
waiting your suggestions.....
thanks in advance!
Francesco
Our production application is configured with F5.
If request comes from mobile to http://xxx.abc.com/show.aspx?show=homePage
I want to create rule is F5 to redirect to a different domain like
http://xxx.xyz.com/show.aspx?show=homePage
My doubt here is if the initial URL contains User Agent since users are browsing from mobile, after the rule is created is by default the User Agent is also passed along.
The URL that we are trying to redirect to should also contain User Agent since my application renders mobile pages based on useragent.
Thanks
The answer for your question is on Devcentral.f5.com:
https://devcentral.f5.com/questions/simple-url-redirect-irule
There are several ways to achieve what you're looking for and also include or exclude user agent data. It will depend on exactly what the redirected server needs. Just search on DevCentral for URL Redirect and you'll get more answers than you'll need. Here's an overview of URL redirections:
https://devcentral.f5.com/articles/2-minute-tech-tip-url-redirects
I am helping to create a Rails app that uses Ember for a front end MVC. For the app, it is hosting user content accessed via subdomains. On the subdomains, the user can upload custom JS and CSS. What I'm wondering about is if token authentication on the root domain will be safe if stored in Ember from the custom JS people could upload and run on their subdomains?
Provided the following:
Don't use cookies on *.domain.com or use cookies at all.
They can't run (or really display it unescaped in any way) the JS/CSS on your main site.
The ember app with your token doesn't run on their sub-domain (obviously).
They can't put HTML in a file with a different extension or even Content-Type on your subdomain (or you aren't using cookies). They could direct a user's web browser there and it'd display the HTML. Be wary of phishing though (looks like it's your secure content). I can't imagine you could prevent this easily other than not using cookies -- without 100% ensuring properly formatted JS/CSS which would present all kinds of problems.
You can limit cookies to domain.com and www.domain.com, but I don't recommend it (prone to mistakes). If you don't somebody can make a GET request through CSS or ie. an image tag (not to mention JavaScript) and it'll send the authenticated cookies to your server. Remember unescaped input in their app can leave holes too.
If your token is stored in ember, and they have access to custom JS where the app is running of course it'll leave your token vulnerable. If you run your ember app only on the www.domain.com, avoid cookies, storing the token only locally/in JS, you might be okay.
If they just put HTML code in a file with another extension and direct people there it'll be interpreted as HTML.
Is it possible to display a different url than the actual url for bookmarking purposes?
Here's why, web site a.com is live and being use for administrative purposes that have not been added to the new site. So when a user visits a.com, they are redirected to a_new.com. But a_new.com is temporary and will eventually become a.com so I need users to be able to to bookmark a.com even though they are at a_new.com.
Makes sense?
Cool,
Thanks,
W
NO
And this is a good thing (though it won't help you)
For example if user visits www.goodsite.com
And goodsite is a good site but vulnerable to script injection. So an evil hacker changes the bookmarking property of goodsite.com to evilsite.com
Next user who bookmarks the site is in for a surprise.
The best thing to do I think would be when the new domain comes up set up a redirect on the pages of the temporary domain
I'm planning the development of a website which will use parked domains to allow a single code base to drive multiple locale versions of a website.
What I have in mind is, when my index page is loaded to query my database to see if that particular host name has been added to a white list via a bespoke administration system. If so, the resultant row of site information (name, domain, locale etc.) is stored in a session variable.
My question is: if I did store this row in the session, would that session then be available to all of the other "sites" too (which I don't want)?
My thoughts for storing this information in the session were so I didn't have to query my database on each page for the site details. But if sessions are accessible by all parked domains, I'll have to re-factor my authentication handler too as that uses sessions (unrelated, I know!).
Thanks in advance.
Sessions usually rely on cookies, the browser will only send a cookie if the domain it was set from matches the domain of the resources you are requesting. So even if you're using the same code for all your various domains as long as that code is being referenced by different URLs you will be fine.
There´s a way to make session acessible to all parked domains and sub-domains.
I´m looking for an answer, and I didn´t found... But I wrote some code thats resolved this issue:
session_set_cookie_params(0,"/",$_SERVER["SERVER_NAME"]);
$_SESSION['session.cookie_domain'] = $_SERVER["SERVER_NAME"];
Good Luck for all future finders!