PHP在一个域中登录，然后在另一个域中使用会话

Question

So I have this variable I must send to another website. How can I send it in a way that user can't change it? It like an account id, for a login session, since the user logs in through Steam, he doesn't need to enter a password(at least on the site). I need to pass his account id to another domain securely. By securely I mean, I don't care if he sees it as long as he can't change it no matter what. is there any way of doing this? The reason I can't let them log in directly in the first website is because steam has flagged it, like it did to a lot of sites that has ref codes. So the user is kinda not able to log in cause in the warning the "continue anyways" button is so tiny that many users don't even see it. So I made like big sites did, bought another domain and redirected the login to it. This other site is not blacklisted so the login can go normally.

Answer 1

That issue seems a bit challenging, I mean I would do it through an api request. Got to be that way. Probably somebody spices that task a bit more

But that is the way to communicate between two domains, via curl calls and therefore you need TO BUild an api for it. The redirection is an issue there probably via js-ajax.

[Edit] Redirect users to the second site (php Header), once in the second site, do the login, that is, authenticate and populate the session variable through curl requests to the first site

Answer 2

I would look into using CURL to authenticate and get a response back from the authenticating domain to use on the origin domain.

origin.com/authenticate-user.php

 $ch = curl_init('http://authenticator.com/authenticate-user.php'); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query(array('steam_id' => $_SESSION['steam_id']))); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HEADER, false); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); $response = curl_exec($ch); curl_close ($ch); $_SESSION['user_valid'] = $response; 

authenticator.com/authenticate-user.php

 //optional conditions to test origin or requesting source to prevent cross-site attacks. if (isset($_POST['steam_id']){ //..validate user here echo 1; } else { echo 0; } 

This would make the request sent by your server instead of the client, and unchangeable by the user. It will also only require you to manage a session from one domain instead of two, since all the authenticator does is process the information sent to it. Not sure why a session would need to be set on the authenticating domain though, if you can give a scenario it would be needed. You can also change the response to anything you like, serving the entire webpage if desired.

---

Another option is to use cookies as opposed to sessions. Cookies can be shared cross-domain by allowing it within your API processor via CORS and an XMLHttpRequest (ajax). But anything being sent via XMLHttpRequest can be stopped and manipulated by the user.

• CORS PHP: https://developer.mozilla.org/en-US/docs/Web/HTTP/Server-Side_Access_Control
• Example: http://arunranga.com/examples/access-control/credentialedRequest.html