子域上的已登录会话

Question

I'm currently facing a following problem:

A main domain is running a particular PHP framework with framework specific sessions; now there is a new subdomain, which runs a different PHP framework, and I need to share the login session information from the main domain with the subdomain. Ie users only register on the main domain, but once logged in, they will also be logged into their account on the subdomain. And it should also be noted that the subdomain cannot have access to the main domain db.

With these restrictions, I came up with the following solution: first I set the domain cookie to .mydomain.com , so I can access the session cookie on the subdomain. Next I implement a simple API call on the main domain, which returns loggedin status as well as other session information. The API url will have IP whitelist limited to the subdomain server, and once loggedin user comes from the main domain to the subdomain, the API url is requested with the users cookie serverside (cURL presumably). Once and if the user is authenticated this way on the subdomain, he is assigned a token for the particular session, and from there on I can manage that as a regular and separate session on the subdomain.

Now my question is whether you can see any flaw security-wise in this setup? Or suggest any improvements or a more preferable way to do this...

Thanks

Answer 1

For me, i think i will use single sign-on concept. Once user logs-in through any of domain or sub-domain, generate access-Token for that user, sign-in. After that use that same access Token to check and authenticate user for different domain names, instead using separate sessions. This might lead to session hijacking and difficult to manage multiple sessions. Once session is created, allocate access-token, with access rules. This will make seamless process for sign-in and easy to manage as well.

For more information look to search Single Sign on or OAuth 2.0 protocol.