Is session data accessible by all parked domains on a host? - localization

I'm planning the development of a website which will use parked domains to allow a single code base to drive multiple locale versions of a website.
What I have in mind is, when my index page is loaded to query my database to see if that particular host name has been added to a white list via a bespoke administration system. If so, the resultant row of site information (name, domain, locale etc.) is stored in a session variable.
My question is: if I did store this row in the session, would that session then be available to all of the other "sites" too (which I don't want)?
My thoughts for storing this information in the session were so I didn't have to query my database on each page for the site details. But if sessions are accessible by all parked domains, I'll have to re-factor my authentication handler too as that uses sessions (unrelated, I know!).
Thanks in advance.

Sessions usually rely on cookies, the browser will only send a cookie if the domain it was set from matches the domain of the resources you are requesting. So even if you're using the same code for all your various domains as long as that code is being referenced by different URLs you will be fine.

There´s a way to make session acessible to all parked domains and sub-domains.
I´m looking for an answer, and I didn´t found... But I wrote some code thats resolved this issue:
session_set_cookie_params(0,"/",$_SERVER["SERVER_NAME"]);
$_SESSION['session.cookie_domain'] = $_SERVER["SERVER_NAME"];
Good Luck for all future finders!

Related

Must be a top private domain

I'm learning about Google OAuth, and it says that my project has no appropriate credentials.
So I go to the Developers Console and click on the OAuth consent screen. I type my domain name into their question:
Authorized domains To protect you and your users, Google only allows
applications that authenticate using OAuth to use Authorized Domains.
Your applications' links must be hosted on Authorized Domains.
I have verified my domain, but I get "Must be a top private domain." The link takes me to some kind of java programming statement. Actually if I click on the Domain verification tab (again) there are no domain names listed, but I know I added it.
Q: How do I add my domain for being used with OAuth? Must I qualify it as a Top Private Domain or am I going down a rabbit hole?
Google oauth requires a top level domain for security purposes. A top level domain is the first one before the .com .net .biz, in other words it only has one dot. There are exceptions such as .co.uk.
Subdomains are controlled by the parent domains and are not necessarily owned or controlled by you. Imagine you have a Wordpress account at domain.wordpress.com. Wordpress closes your account and returns domain to inactive. A different user claims the domain user and domain.wordpress.com. If Google allowed subdomains they would be forced to believe the new user was you. (Since there is no requirement of public notification of the change)
Edit (a more generalized statement in response to a comment.)
If you own the domain, you have full control over it, and the ownership records are public. To prove your virtual identity as owner of the domain when subscribing to many services require a DNS record, that is created by you, as a challenge created by the provider, that can be read by the provider, prior to services being created. In the event of a change in ownership the original claimant, you, is sent a new record to the provided email address to add to your DNS server to prove you still own the domain. If you cannot prove you still maintain ownership of the name, as in the case of an expired domain hijack, all services are canceled.
Edit
The most probable problem is: Your domain verification is failing.
Start the verification process again. This will give you a new TXT record to add to your DNS.
Go to your DNS providers page and add the record. While there look for the refresh value on the SOA record.
Convert the SOA refresh from seconds to hours. Divide by 3600.
Wait that amount of time + 4 hours for replication.
Use nslookup (or dig) and look for the TXT record. Be sure to use Google's DNS server at 8.8.8.8(server=8.8.8.8).
If the record is not found, wait some more, if (hours waiting > 72) break; else repeat check.
If nslookup was able to find the record, complete the verification process; if not contact your DNS provider(The client record hold can be an issue).
If at this point everything went well, You should have an authorized domain.
If not (domain disappears, contact Google support), It my have to do with the privacy settings on the domain. Most quote public domains have contact information.
You must use a TLD (top level domain). If you have a subdomain, it is owned by the person who owns the TLD. For example, you might have a blog at myamazingblog.wordpress.com, and wanted to use OAuth with it. Unfortunately, this would not be possible, since you do not own wordpress.com (the TLD).
Try testing on a different device or clearing cache.
For me it turned out I had everything correct (just with my example.com domain) but my iOS safari was caching something and it kept giving me the ‘not whitelisted’ message. Which led me to think I needed to add dev.example.com as well - which isn’t necessary.
So try going to the site on another device or browser to see if it works.

TYPO3: Howto share session / cookies between domains (one for each language )?

I wonder if there's a way to tell TYPO3 to share the sessions / cookies between different domains?
We wrote an Extbase extension on a multi language / multi domain site.
We store search words from a search form in the user session. If the user switches the page language, he should get the same results as before - Without the need to re-fill the search form.
One way would be to tell the browser to store several cookies at the same time - one for each domain/language. How can this be achieved with TYPO3 / Extbase?
By default, there is no way to set cookies for a different domain - not with or without TYPO3. This is a security measure implemented in every browser (or do you want me to set / read your cookies from yourbank.com when you visit my web site? ;-))
You have to create some helper script that does this for you. One way could be:
example.com is loaded
this page includes an iframe to a PHP script (or TYPO3 site, e.g. with eID) on example.org with a GET parameter storing being the session id
the script loaded from example.org reads the GET parameter and sets a cookie with that session id (or whatever parameter you want to transfer).
afterwards the cookie is also available when browsing example.org
I have never tried this, but I'm pretty sure it will work with PHP. Maybe it's even possible with pure JavaScript, but I'm not so sure. In every case, think about what security holes you get with the explained script. In doubt sign the parameters (or require a token)!

Delete Rails session cookies from Wordpress and vise versa

We are designing an application that will use Rails and Wordpress to interact with each other. We would like to have a universal logout where you could logout from either application and it would delete cookies from the other app. They will share the same host and toplevel domain. Is there a way to do this?
Access to a cookie is dependent on the domain of the server attempting to read the request -- and potentially the domain specified in the cookie. So assuming the domains match (e.g. www.example.com and www.example.com on both blog and Rails app) either should have access to a cookie set by the other.
If this is not the case (e.g. blog.example.com, www.example.com), you'll need to make sure when the cookie is set in either place, it's set for the entire domain (e.g. .example.com). But this doesn't help: while Rails can delete WP's cookie, and vice-versa, the method for creating (and using) them needs to be mutually understood.
So there's a twist here, since this is a session cookie; in this case, the cookie (which either app should have access to) is setting a value that is used and interpreted on the server side, where sessions are managed. WordPress and Rails both different methods and look for different cookies.
A solution (idea) would be to have one or the other subsystem catch incoming requests (most likely WP, and probably through some .htaccess RewriteRule, assuming you're using Apache) and create an intermediate cookie that the other could check that provides sufficient proof that the user has logged in correctly. WP's PHP for this is pretty good, and easily extended -- you just need to create some token that's a shared secret between the two apps (one of the values in wp-config.php such as LOGGED_IN_KEY might be a good option).
Maybe a solution would be to take the publicly available value from the WP cookie for username, and append the shared secret value and (in both systems) create an MD5 hash to store in a cookie. In this case, Rails' authentication would subordinate to WP's, so you would need to make sure Rails knew to delegate things like forgotten password, changed password, etc, to WP's mechanisms.
Obviously I am thinking aloud, but maybe this is a path to consider.
In any case, this is preferable to having both systems know how to trust the other's authentication.
Fiddling with cookie deletion appears to be dirty and error prone.
You might rather want to have a look at auth providers and the according plugins such as:
OAuth (WP - Rails; maybe make either side an OAuth provider)
CAS (WP - Rails)
LDAP (WP - Rails)
...
Maybe it's an option to switch from WP to one of Rail's CMS like:
Refinery CMS
Typo
...

How to identify unique clients in Rails or with a preferred Ruby Gem?

Trying to figure out how to identify unique users properly with cookies and perhaps coupling that with the public IP.
What's the suggested path to follow in this regard? (I'm open to a standard Rails method or leveraging another Ruby Gem if that's more elegant.)
On the topic of cookies, which is the proper way to retrieve client cookies in Rails 3.x+? I have been using cookies, but it seems that request.cookies also works. What is the difference / preference when using these two? I've seemingly seen request.cookies fail in some instances; but perhaps it was after clearing out the cookies for the app prior to refreshing and working with it in the console.
Also, do cookies have a unique ID that can be utilized to identify clients uniquely?
Essentially my goal is to count visits per unique visitor to a site. I am assuming I will need to compare a unique cookie ID and perhaps an IP, but I'm not sure what would be most kosher in this situation.
Ultimately I need to to understand how to uniquely identify visitors of the site and then store them in a count or number of visits to the site for that visitor.
For your question on the difference between cookies and request.cookies see
http://www.quarkruby.com/2007/10/21/sessions-and-cookies-in-ruby-on-rails#scvr
It's well explained.

AJAX proxy forwarding shopping basket request to different subdomain, returning session cookie for basket

i have the following problem and i didn't really find information specific enough for my particular situation, so please don't kill me if this is a dupe:
there is a webshop running under www.theshopdomain.com and i can not modify any of the source there. i only have an ajax api for adding products to a basket.
then i have a satellite shop that features a subset of products and runs under subdomain.shopdomain.com.
to add products to the cart under www.theshopdomain.com, the subdomain must call the ajax api. so far so easy, now the real problem:
when the first request with "addProduct" is called, this request must create a session on the main shop domain on behalf of the user, so that i am able to link to the main shop and the user will see his selections on the subdomain and is able to check out on the main domain.
the subdomain runs a rails application and now somehow this rails app must forward the request, and still somewhere along the way a session must be created on the main system to be used in the forwarded request.
how would you proceed on this? i'm not sure in which direction i'm supposed to look. the iframe hacks apparently don't work, since i can't modifiy stuff on the main domain.
thanks for any possible help or directions,
anton
ok, problem solved. i managed to get an html file saved on the main domain's server and used the well documented iframe solution.

Resources